Merge branch 'master' into 'master'

Using sudo content updated

* Updated and modularized content about using sudo

Needs review from someone more familiar with repo directory structure.

See merge request !4

en-US/configure-sudo.adoc

@@ -1,75 +1,29 @@
-= Configuring Sudo
+= Configuring sudo
 
-'''
+include::{md}/concept-what-is-sudo.adoc[leveloffset=+1]
 
-[IMPORTANT]
-======
+= How to use sudo
 
-This page was automatically converted from https://fedoraproject.org/wiki/Configuring_Sudo
+include::{md}/concept-using-sudo-assign-admin-privileges.adoc[leveloffset=+1]
 
-It is probably
+include::{md}/procedure-using-same-password-for-root-as-user.adoc[leveloffset=+1]
 
-* Badly formatted
-* Missing graphics and tables that do not convert well from mediawiki
-* Out-of-date
-* In need of other love
+include::{md}/concept-logging-sudo-commands.adoc[leveloffset=+1]
 
-Please fix it, remove this notice, and then add to `_topic_map.yml`
+[[concept-warning-and-caveats]]
+= Warnings and caveats
+You must use the `user` account you created following the installation process, at first boot, for daily use and the `root` account only for system administration. Avoid using `root` for any non-administration usage, since the account makes it easy to create security or data risks.
 
-Pull requests accepted at https://pagure.io/fedora-docs/quick-docs
+There are several potential risks to keep in mind when using the [command]`sudo` command. You can avoid them by editing the [filename]`/etc/sudoers` configuration file using [command]`visudo` command.
 
-Once that is live, go to the original wiki page and add an `{{old}}`
-tag, followed by a note like
+include::{md}/concept-sudo-timeout.adoc[leveloffset=+1]
 
-....
-{{admon/note|This page has a new home!|
-This wiki page is no longer maintained. Please find the up-to-date
-version at: https://docs.fedoraproject.org/whatever-the-url
-}}
-....
+include::{md}/concept-using-sudo-access-docker.adoc[leveloffset=+1]
 
-======
+include::{md}/procedure-run-docker-using-sudo.adoc[leveloffset=+1]
 
-'''
+include::{md}/concept-using-sudo-without-password.adoc[leveloffset=+1]
 
 
-Fedora users should use a regular user account for regular day to day
-activities and a root account only for system administration. Use the
-personal account you created following the installation process, at
-first boot, for daily use. Use the root account only for administration
-of your system.
-
-To run as root use the or commands. Avoid using root for any
-non-administration usage, since the root account makes it easy to create
-security or data risks. If you frequently use a single user desktop, you
-may find it convenient to configure so you can use the same password to
-access root as you use for your regular account. To do this, select to
-be added to the Administration group during installation. To do it
-later, or to add a different user, follow this procedure:
-
-1.  Become the root user using the command. Enter the password for the
-root account when prompted.
-+
-....
-su -
-....
-2.  Run this command, using your user account name in the place of
-"sampleusername":
-+
-....
-usermod sampleusername -a -G wheel
-....
-+
-You must now log off and back on in order to have access to the wheel
-group. Note that when prompts you for a password, it expects your user
-password, not root's.
-
-[[reference]]
-Reference
-~~~~~~~~~
-
-http://fedorasolved.org/post-install-solutions/sudo
-'''
-
 See a typo, something missing or out of date, or anything else which can be
 improved? Edit this document at https://pagure.io/fedora-docs/quick-docs.

en-US/modules/concept-logging-sudo-commands.adoc

@@ -0,0 +1,20 @@
+[id="concept-logging-sudo-commands"]
+= Logging sudo commands
+
+Each successful authentication using the [command]`sudo` command is logged to the [filename]`/var/log/messages` file. For each authentication, the [filename]`/var/log/secure` file lists the user name and command run. 
+
+For additional logging, use the `pam_tty_audit` module to enable TTY auditing for specific users. TTY auditing prints the file name of the terminal connected to the standard I/O. To enable TTY auditing, add the following line to your [filename]`/etc/pam.d/system-auth` file:
+
+----
+session required pam_tty_audit.so disable=pattern enable=PATTERN
+----
+
+Replace _PATTERN_ with a comma-separated list of users (and globs, if needed).
+
+For example, the following command enables TTY auditing for the root user and disables it for all other users:
+
+----
+session required pam_tty_audit.so disable=* enable=root
+----
+
+Using the `pam_tty_audit` PAM module for auditing only records TTY input. As a result, when the audited user logs in, `pam_tty_audit` records the user’s exact keystrokes and saves them in [filename]`/var/log/audit/audit.log`. For more information, see the *pam_tty_audit(8)* manual page.

en-US/modules/concept-sudo-timeout.adoc

@@ -0,0 +1,13 @@
+[[concept-sudo-timeout]]
+= sudo timeout
+
+By default, [command]`sudo` stores the password for a five minute timeout period. Any subsequent uses of the command during this period will not prompt you for a password. This could be exploited by an attacker if you leave your workstation unattended and unlocked while still being logged in. You can change this behavior by adding the following line to the `/etc/sudoers` configuration file: 
+
+------------
+Defaults    timestamp_timeout=VALUE
+------------
+Here, _VALUE_ is the desired timeout length in minutes. Setting the value to 0 causes [command]`sudo` to require a password every time. 
+
+If an account is compromised, an attacker can use [command]`sudo` to open a new shell with administrative privileges. 
+
+Opening a new shell as a root user in this way allows an attacker administrative access for a theoretically unlimited period of time and bypasses the timeout period specified in the `/etc/sudoers` file. Using this method, the attacker *does not* need to provide a password for [command]`sudo` again until the session ends.

en-US/modules/concept-using-sudo-access-docker.adoc

@@ -0,0 +1,8 @@
+[id="concept-using-sudo-access-docker"]
+= Using sudo to access Docker
+
+Docker has the ability to change the group ownership of the Docker socket to allow users added to the Docker group to be able to run Docker containers without having to execute the [command]`sudo` or [command]`su` command to become root.
+
+Enabling access to the Docker daemon from non-root users is a problem from a security perspective. It is a security issue for Fedora, because if a user can talk to the Docker socket they can execute a command which gives them full root access to the host system. Docker has no auditing or logging built in, while [command]`sudo` does.
+
+It is recommended that sudo rules are implemented to permit access to the Docker daemon. This allows [command]`sudo` to provide logging and audit functionality.

en-US/modules/concept-using-sudo-assign-admin-privileges.adoc

@@ -0,0 +1,24 @@
+[id="concept-using-sudo-assign-admin-privileges"]
+= Using sudo to assign administrator privileges
+
+Add users to the [directory]`/etc/sudoers` configuration file to allow them to use the [command]`sudo` command. For these users, the [command]`sudo` command is run in the user’s shell instead of in a root shell. As a result, the root shell can be disabled for increased security.
+
+The administrator can also allow different users access to specific commands using the sudo configuration. Administrators must use the [command]`visudo` command to edit the [directory]`/etc/sudoers` configuration file. 
+
+To assign full administrative privileges to a user, type [command]`visudo` and add the following line to the user privilege section after replacing _USERNAME_ with the target user name:
+
+----
+USERNAME ALL=(ALL) ALL
+----
+
+This line allows the specified user to use [command]`sudo` from any host and execute any command.
+
+To allow a user access to specific commands, use the following example after replacing USERS with a target system group:
+
+----
+%USERS localhost=/usr/sbin/shutdown -h now
+----
+
+This command allows all members of the _USERS_ system group to issue the [command]`/sbin/shutdown -h` as long as the command is issued from the console.
+
+The man page for [command]`sudoers` has a detailed listing of options for this file.

en-US/modules/concept-using-sudo-without-password.adoc

@@ -0,0 +1,12 @@
+[[concept-using-sudo-without-password]]
+= Using sudo without a password
+
+You can enable `root` access without a password specified, allowing any process on your system to become `root`. Add the following line to your `/etc/sudoers` file:
+
+------------
+_user_        ALL=(ALL)       NOPASSWD: /usr/bin/docker
+------------
+
+This will allow _user_ to access docker without a password. 
+
+IMPORTANT: For security reasons, it is recommended that you always use *sudo* with a password. 

en-US/modules/concept-what-is-sudo.adoc

@@ -0,0 +1,11 @@
+[id=”concept-what-is-sudo”]
+= What is `sudo`
+
+The [command]`sudo` command allows users to gain administrative or root access. When trusted users precede an administrative command with [command]`sudo`, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root user.	 
+Only users listed in the [filename]`/etc/sudoers` configuration file are allowed to use the [command]`sudo` command. The command is executed in the user's shell, not a root shell.
+
+The syntax for the sudo command is as follows:
+----
+sudo COMMAND
+----
+Replace _COMMAND_ with the command to run as the root user.

en-US/modules/procedure-run-docker-using-sudo.adoc

@@ -0,0 +1,9 @@
+[[procedure-run-docker-using-sudo]]
+= Run Docker using [command]`sudo`
+
+. Set up [command]`sudo` as shown in *Using sudo to give/limit admin privileges*
+. Create an alias for running the docker command:
+----
+alias docker="sudo /usr/bin/docker"
+----
+When the user executes the docker command as non-root, sudo will be used to manage access and provide logging.

en-US/modules/procedure-using-same-password-for-root-as-user.adoc

@@ -0,0 +1,24 @@
+[id=”procedure-using-same-password-for-root-as-user”]
+= Using the same password for root as the user account
+
+If you use a single user desktop, you might find it convenient to configure [command]`sudo` so you can use the same password to access `root` as you use for your regular account. To do this, select to be added to the Administration group during installation. To do it at later stage, or to add a different user, use the following procedure:
+
+. Become the `root` user:
++
+----
+$ su -
+----
++
+. Enter the password for the root account when prompted.
+
+. To use your regular password for the root access, run:
++
+----
+# usermod USERNAME -a -G groupname
+----
++
+Replace _USERNAME_ with your account name
+
+. Log off and back on in order to have access to the group. 
+
+NOTE: When [command]`sudo` prompts you for a password, it expects your user password, not the `root` password.