Securing sudoers with deny commands

[bester69]

Would be enought/possible more or less to use deny commands to secure sudoers user with ALL permission but critical commands?

Im thinking of:
- chattr +i /etc/sudoers
- chattr +i /etc/resolv.conf (securing DNS's)

and, a sudoers files such as .:

#Defaults rootpw
root ALL=(ALL:ALL) ALL
user ALL=(ALL:ALL) ALL

user ALL=(ALL:ALL) NOPASSWD: ! /bin/su
user ALL=(ALL:ALL) NOPASSWD: ! /usr/bin/chattr
user ALL=(ALL:ALL) NOPASSWD: ! /usr/bin/mv
user ALL=(ALL:ALL) NOPASSWD: ! /usr/bin/passwd

----

I just want sudoers users cant take control of root user and at the same time be able to do most root tasks ,
what do you think , is it possible? ..just need to keep resolv.conf and sudoers file locked for sudoers users

[dilberts_left_nut]

Arse about face.
Use it like intended and allow only what is required.

[Head_on_a_Stick]

doas ftw!

[CwF]

You could just remove sudo. I have.

[LE_746F6D617A7A69]

I just want sudoers users cant take control of root user

That's an illusion of safety, as most of attacks are *not* based on sudo -> so "securing" sudoers file doesn't have much sense.

It was already discussed, but FYI:
1. Closed source software is a primary vector of almost all attacks (99%)
2. Tightly tied to the above: using Flatpak/Appimage/Snap/etc. allows to replace important system libraries, what in turn allows to bypass almost all of the security barriers (like f.e.replacing the libc.so).

You have to choose between security and "convenience" - it's Your decision.

[bester69]

Thanks all for answering...
.