You will provision server accounts with role-based groups, scoped sudo rules, password aging, and lockout on failed logins. By the end, access is least-privilege and every privileged action is auditable.

Learning Objectives

  • Create role groups and assign users to them.
  • Write a least-privilege sudoers drop-in safely.
  • Apply password aging and account lockout.
  • Time: ~2 hours · Difficulty: Intermediate · Prereqs: a server with root/sudo.

Architecture Overview

Environment Setup

You will need: shadow-utils, sudo, and PAM faillock (default on Ubuntu/RHEL).

Before you begin: keep a second root session open while editing sudoers.

Step-by-Step Execution

01
Create a role group and user

Groups let you grant access by role rather than per user, which scales cleanly.

sudo groupadd ops && sudo useradd -m -s /bin/bash -G ops deploy && sudo passwd deploy
[ROOT REQUIRED] Creates the ops group and a member user.
02
Grant a scoped sudo rule with visudo

Editing through visudo validates syntax so a typo cannot lock everyone out of sudo.

echo '%ops ALL=(root) /usr/bin/systemctl restart nginx, /usr/bin/journalctl' | sudo EDITOR='tee' visudo -f /etc/sudoers.d/ops
03
Apply password aging and lockout
# chage -M 90 -W 7 deploy && faillock --user deploy
deploy: When Type Source Valid (no failed logins)

Progress So Far

Testing & Validation

sudo -l -U deploy && chage -l deploy

You should see only the two allowed sudo commands and the 90-day aging policy. If so, least-privilege access is enforced.

Troubleshooting
  • Broken sudoers locks out sudo: use the open root session and run visudo -c to find the error.
  • Group change not effective: the user must log out and back in.
  • Account locked: reset with faillock --user deploy --reset.

Extension Ideas

  • Centralize accounts with LDAP or FreeIPA for many servers.
  • Pair with SSH Hardening for key-only access.
  • Ship sudo logs to your SIEM from Log Management.

Key Results

  • Granted access by role group rather than per-user edits.
  • Limited sudo to 2 explicit commands, fully audited.
  • Enforced 90-day password aging with lockout on failures.
  • Confirmed effective privileges with sudo -l.