B3RG - Objective 7.2 - Delegate Administrative Privileges

Menu - VCDX

Recent Blog Postings

Esxtop is a powerfull CLI tool on ESX server to take a look at performance counters of an ESX system, including the resources that the Virtual Machines (VMs) take. In this short walkthrough I will explain in a general matter how to setup performance logging to a separate Windows share from an ESX .....

Add Banners

Objective 7.2 - Delegate Administrative Privileges

Written by Matthijs van den Berg

Tuesday, 07 April 2009 14:58

KNOWLEDGE

Explain how to restrict access to administrative functions
The VMware best practice is to only create normal users and to use sudo for each command that needs to be executed with root privileges. You can limit the users who can use sudu, limit the commands that can be excuted with sudo and limit the use of sudo from remote workstations. See for the technical implementation below.
Describe the process to restrict access to specific administrative command
To restrict access to specific commands you can define which commands can executes by whom in the sudoers file by using the command visudo.
Understand how attempts to use administrative functions can be logged
Again via sudo. All commands executed via sudo are logged in the /var/log/secure log file including a time stamp and username. Please note that commands executed via su are NOT logged.

SKILLS AND ABILITIES

Switch from a standard user account to root
There are two possible way’s to execute administrative functions from the CLI.
- sudo
  Sudo executes one command with root privileges. You need to type the administrator password and you must be allowed to sudo. For this your username must reside in the sudoers file (editable by visudo). Sudo leaves an audit trail, where su does not! Every command executed with sudo is logged including username and timestamp in /var/log/secure. It is a VMware best practice to use sudo! An example:
- su
  su opens a new sessions as root, you will only need to enter the password.
Enable the use of the wheel group
The wheel group is disabled by default. If enabled it limits the users that are allowed to use the “su” command. Default all users are allowed to execute this command. To enable the wheel group uncomment the wheel line in the file:

/etc/pam.d/su

Configure sudo
You can configure how is allowed to use sudo with the command “visudo”. This opens the sodoers file exclusively in the VI texteditor. You can add groups en users to allow the use of sudo. You can add lines of users and group that are allowd to excute commands from special networks / machines. Each line is build up like:

<username of groupname> <from machine / network> <commands allowed>

- Users/Groups
  To allow a specific user to use any command from any server:
- Hosts
  To allow the wheel group only use sudo if they are using a computer in the 128.138.x.x subnet use:
- Commands
  To only allow specific commands you must type in those commands including the full path. To allow the user matthijs to only su to operator from any machine use:
- Aliases
  If you need to add many users with the same user rights, or need to specify the same set of commands to multiple users / groups you can use aliases. Below are a couple of examples from the man pages (“man soduers”):
- See "man sudoers" and "man visudo" for more information and examples.

TOOLS

CLI
- Visudo
- Su
- Sudo
- which

< Prev