Skip to main content

Disable Sudo

Sudo allows the user to delegate privileges to run commands as a root or another user. This drastically increases the risk because the root user can do anything to the system, including make changes to the operating system that will cause it to malfunction. It's a security best practice to disable sudo if you are not using it. It's also recommended by several security standards and frameworks.

Discover Sudo Usage

When running in audit mode, Harden-Runner monitors root usage and makes these findings available on the insights page. Before you consider disabling sudo, make sure that it's not being used by your GitHub Actions workflow.

Usually, GitHub Actions workflows don't use sudo. If Harden-Runner doesn't observe any sudo calls, then you would see Disable sudo option enabled on the insights page. You would also see a recommendation to set disable-sudo to true. Sudo Enabled

If your workflow is using sudo, then Disable sudo option will be disabled on the insights page. You would also observe that the recommended policy block doesn't show disable-sudo property. Sudo Disabled

Disable Sudo In Workflow

After confirming that your workflow is not using sudo, you can disable sudo by setting disable-sudo property for Harden-Runner action to true in your workflow file. Sudo Workflow Config Disabled

Here is a sample PR that updates a Harden-Runner config to disable sudo. Pull Request Disable Config