3.sudo Process Isolation Limiting Hardware Access and Keeping Systems Current

The sudoers File

/etc/sudoers contains a lot of documentation in it about how to customize. Most Linux distributions now prefer you add a file in the directory etc/sudoers.d with a name the same as user.

this file contains the individual user’s sudo configuration, and one should leave the main configuration file untouched except for changeds that affect that affect all users.

sudo commands and any failures are logged in …

/var/log/auth.log /var/log/messages /var/log/secure

Process Isolation

Linux is considered to be more secure than many other operating systems because processes are naturally isolated from each other.
One process normally cannot access the resources of another process, even when that process is running with the same user privileges.
Linux thus makes it difficult (though certainly not impossible) for viruses and security exploits to access and attack random resources on a system.

More recent additional security mechanisms that limit risks even further include:

• Control Groups (cgroups)
  • Allows system administrators to group processes and associate finite resources to each cgroup.
• Containers
  • Makes it possible to run multiple isolated Linux systems (containers) on a single system by relying on cgroup.
• Virtualization
  • Hardware is emulated in such a way that not only can processes be isolated, but entire systems are run simultaneously as isolated and isulated guests(virtual machines) on one physical host.

Hardware Device Accesses

Linux limits user access to non-networking hardware devices in a manner that is extremely similar to regularfile access.
Applications interact by engaging the filesystem layer (which is independent of the actual device or hardware the file resides on). This layer will then open a device special file (often called a device node) under the /dev directory that corresponds to the device being accessed.
Each device special file has standard owner, group and world permission fields. Security is naturally enforced just as it when standard files are accessed.

Hard disks, for example, are represented as /dev/sd*. While a root user can read and write to the disk kin a raw fashion, for example, by doing something link:

# echo hello world > /dev/sda1

The standard permissions, as shown in the figure, make it impssible for regular users to do so. Writing to a device in this fashion can easily obliterate the filesystem stored on it in a waay that cannot be repared without great effort, if at all. The normal reading and writing of files on the ahrd disk by applications is done at a higher level through the filesystem and never thorough direct access to the device node.

keeping Current

when security problems in either the Linux kernel or applications and libraries are discovered, Linux distributions have a good record of reacting quickly and pushing out fixes to all systems by updating their software repositories and sending notifications to update immediately.