Template:Sudo-Policy
From The Linux Source
- Users must NOT be put into 'wheel' group.
- Passwordless root access is not permitted. The SYSADMINS section (at the bottom of the sudo configuration file) is for temporary granting of access, and should not be used to grant access for more than a few hours (in very rare cases, a few days).
- Individual or application accounts administering or working in a particular environment must perform their work without full root access (or equivalent), but should have all the commands they would need on a regular basis allowed in the sudoers file (new commands need approval/review by Head of Security Team).
- Sudo access for application accounts is granted to user accounts, and must not be granted to application or group accounts.
- Application accounts should have a pre-created startup config (systemd) or an init script (either one owned by root), and the app user should have proper sudo permissions for starting the app.
Note: Sudo will be integrated with LDAP, and once integrated, will require approval by Head of Security Team for any changes.