This post outlines steps to tighten system security by preventing users with sudo access from gaining superuser privilege by the command:
$ sudo su
The sudo command allows a system administrator to enable a user, or a group of users, to run specific command-line tools with different privileges (such as superuser “root” privilege) knowing only the original user password.
As the sudo command is run, it attempts to find a matching command in its configuration files /etc/sudoers or /etc/sudoers.d/; if a match is found the user is granted privilege to run the command, if not the event is logged and the command is rejected.
The sudo command works by matching the arguments from the command line against each entry in the /etc/sudoers or /etc/sudoers.d/ files. The first match found determines the outcome. Each rule is tested in their order in the /etc/sudoers file. The rule is matched against the beginning of the command. If the rule is shorter than the command, only the matching portion at the beginning of the command is checked; any remainder of the command is not checked. The order of /etc/sudoers rules matters; always put the longer rules before a shorter version.
1. Login as root account into the server.
2. Backup the /etc/sudoers config file.
# cp -p /etc/sudoers /etc/sudoers.ORIG
3. Edit the /etc/sudoers config file.
# visudo -f /etc/sudoers
##Allow orarom user to run any command (enabled for patching from oracle platnum support) orarom ALL=(ALL) ALL
##Limit the orarom user to run any command (enabled for patching from oracle platnum support), except for sudo su to root orarom ALL = ALL, !/bin/su
4. Then save the file.
5. Please do the same to other user account in sudo.
Lets verify if we have disabled the sudo access to user.
$ sudo su - [sudo] password for orarom: Sorry, user orarom is not allowed to execute '/bin/su -' as root on testvm01.