Sudo Setup and Configuration Instructions

Configuration of sudo lets a non-root user run Tufin commands with root privileges. This lets you to keep the root password secret and lets you audit TufinOS commands.

Important Security Warning: Each user that is configured in sudo can run any command with root privileges.

We recommend that you configure users to run Tufin commands only.

sudo commands will require a user password. In case a root-related command is being executed, you will be prompted for the root password.

Preparation

  1. Login as root user to a machine with installed TOS.

  2. Add RADIUS users without passwords that will use sudo:

    The username MUST NOT contain the strings: 'tufin', 'st', 'tomcat', 'jboss'

  3. To give the users rights for sudo, run this command with the names of the users:

    # SUDO_USERS=(bob bruce jack john)
    # for user in "${SUDO_USERS[@]}" ; do useradd ${user} ; echo "User '${user}':" ; id ${user} ; done

  4. Extract the archive file sudo_tufin.tgz located in:

    /opt/tufin/share/docs/examples/sudo_configuration/:

    # cd /opt/tufin/share/docs/examples/sudo_configuration/
    # tar xvzf sudo_tufin.tgz --directory /etc/sudoers.d/

  5. Check the correctness of sudo syntax:

    # visudo -c

    You should get "parsed OK" for each sudo file.

Usage

  1. Pre-configured users:

    • 'bob', 'bruce' are in one group (file: /etc/sudoers.d/tufin_commands ; group: LIMITED_FOR_TUFIN_CMD) to only run Tufin-defined commands as root user.
    • 'jack', 'john' are in one group (file: /etc/sudoers.d/all_commands ; group: USERS_FOR_ALL_CMD) to run all commands as root user.

  2. Two methods to login:

    • (Preferred method) Login as one of the users in different terminal (the user shell should be parent shell for all subshells) and run commands with sudo.
    • (Alternative method) If you are logged in as root, then you can login any user from same terminal with the following command:

      # su - user

  3. Using of sudo command:

    sudo <command> [command parameter]

  4. To track a user that runs sudo commands, login as root in another terminal and run:

    # tail -f /var/log/secure

    The output is shown in this format:

    Feb 3 14:07:19 ha-test1 sudo: bob : TTY=pts/0 ; PWD=/home/bob ; USER=root ; COMMAND=/usr/sbin/st stat
    Feb 3 14:07:28 ha-test1 sudo: bob : command not allowed ; TTY=pts/0 ; PWD=/home/bob ; USER=root ; COMMAND=/sbin/fdisk -l

Configuring sudo

Always edit sudo files with 'visudo' editor to prevent mistakes in sudo syntax.

  1. Configuring all commands (Note: It is already pre-configured for users: 'jack', 'john'):

    1. To add an existing Linux user to sudo, add the new user to /etc/sudoers.d/all_commands file:

      # visudo -f /etc/sudoers.d/all_commands
      User_Alias USERS_FOR_ALL_CMD = jack, john, new_user

    2. Allow the user to run all commands as root user:

      # visudo -f /etc/sudoers.d/all_commands
      USERS_FOR_ALL_CMD ALL=(ALL) NOPASSWD: ALL

  2. Configuring Tufin-defined commands only (Note: It is already pre-configured for users: 'bob', 'bruce'):

    1. To add an existing Linux user to sudo, add the new user to /etc/sudoers.d/tufin_commands file:

      # visudo -f /etc/sudoers.d/tufin_commands
      User_Alias LIMITED_FOR_TUFIN_CMD = bob, bruce, new_user

    2. Add specific commands to run as root user (The pre-configured example to run: tos, tss, hactl, st and scw commands):

      # visudo -f /etc/sudoers.d/tufin_commands
      Cmnd_Alias TUFIN_CMD = /usr/sbin/t?s [[\:alpha\:]-]*, /usr/sbin/hactl [[\:alpha\:]-]*, /usr/sbin/st [[\:alpha\:]-]*, /usr/sbin/scw [[\:alpha\:]-]*
      /bin/sh /opt/tufin/securitysuite/scripts/set_disclaimer.sh --* *, \
      /bin/sh /opt/tufin/securitysuite/scripts/manage_ldap_vendor_configuration.sh --* *, \
      /usr/sbin/st_add_user
      LIMITED_FOR_TUFIN_CMD ALL=(root:root) NOPASSWD: TUFIN_CMD

      You can customize the examples in these pre-configured sudo files:

      /etc/sudoers.d/all_commands

      /etc/sudoers.d/tufin_commands