In an attempt to secure my production environment, i've recently introduced more secure sudo access. Up until recently, all users could use sudo without restriction, including shell access. I changed this to an approved list of commands that can be run with sudo, with the sole intention of preventing shell access. This is proving unmanageable, as i'm having to add commands to the list on a daily basis.
I would prefer to have an exclusion list, primarily to prevent root shell access through sudo. I would like to allow all other commands to be allowed. Does anyone have any experience with this type of setup? Is it even possible?
edit: You've all been tremendously helpful. To be honest i feel like an idiot. My new goal is to strive to remove a need for sudo at all. Thanks!
[link][32 comments]
