Disable Sudo
Sudo allows the user to delegate privileges to run commands as a root or another user. This drastically increases the risk because the root user can do anything to the system, including make changes to the operating system that will cause it to malfunction. It's a security best practice to disable sudo if you are not using it. It's also recommended by several security standards and frameworks.
Discover Sudo Usage
When running in audit mode, Harden-Runner monitors root usage and makes these findings available on the insights page. Before you consider disabling sudo, make sure that it's not being used by your GitHub Actions workflow.
Usually, GitHub Actions workflows don't use sudo. If Harden-Runner doesn't observe any sudo calls, then you would see Disable sudo
option enabled on the insights page. You would also see a recommendation to set disable-sudo
to true.
If your workflow is using sudo, then Disable sudo
option will be disabled on the insights page. You would also observe that the recommended policy block doesn't show disable-sudo
property.
Disable Sudo In Workflow
After confirming that your workflow is not using sudo, you can disable sudo by setting disable-sudo
property for Harden-Runner action to true in your workflow file.
Here is a sample PR that updates a Harden-Runner config to disable sudo.