Is there a way to whitelist a set of normal commands and block usage of any commands outside of that?

Question

Within this environment, a user named 'user' has the ability to use sudo, but because of how I have the networking and stuff behind the scenes set up, I don't want the user to be able to access tools like iptables, iproute2, net-tools, etc. There are a plethora of others that I would like to disallow (like mount and sudo su) but I obviously can't know all of them. I would like to allow the user to use all the basic commands like ls, cd, pwd, etc.

It's fine if I have to list all the allowed commands since this is a more finite list than the ones that I would like to disallow.

Currently, I am going with the blacklist approach and listing all of the commands that I don't want, but it seems like the least secure and dumbest way to do so. This is how the current sudoers file looks like:

Cmnd_Alias APTNETTOOLS = /usr/bin/apt-get install iptables, /usr/bin/apt-get install iproute2, /usr/bin/apt-get install libghc-iproute-dev, /usr/bin/apt-get install net-tools, /usr/bin/apt install iptables, /usr/bin/apt install iproute2, /usr/bin/apt install libghc-iproute-dev, /usr/bin/apt install net-tools
Cmnd_Alias RESTRICTEDCMNDS = /usr/bin/ip, /usr/sbin/route, /usr/sbin/iptables, /usr/sbin/arp, /usr/sbin/ip, /usr/bin/networkctl
Cmnd_Alias ELEVCMNDS = /usr/sbin/visudo, /usr/bin/su

# See sudoers(5) for more information on "#include" directives:
user    ALL=ALL, !APTNETTOOLS, !ELEVCMNDS, !RESTRICTEDCMNDS

Answer 1

The default behavior for sudoers is to block everything but what you allow. You've allowed everything using ALL. If you don't want that don't assign ALL. From the docs there's an example of explicit permissions:

   # Cmnd alias specification
   Cmnd_Alias     DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
                  /usr/sbin/restore, /usr/sbin/rrestore,\
                  sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
                  /home/operator/bin/start_backups
   Cmnd_Alias     KILL = /usr/bin/kill
   Cmnd_Alias     PRINTING = /usr/sbin/lpc, /usr/bin/lprm
   Cmnd_Alias     SHUTDOWN = /usr/sbin/shutdown
   Cmnd_Alias     HALT = /usr/sbin/halt
   Cmnd_Alias     REBOOT = /usr/sbin/reboot
   Cmnd_Alias     SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
                   /usr/local/bin/tcsh, /usr/bin/rsh,\
                   /usr/local/bin/zsh
   Cmnd_Alias     SU = /usr/bin/su
   Cmnd_Alias     PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less


   operator  ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
             sudoedit /etc/printcap, /usr/oper/bin/

   The operator user may run commands limited to simple maintenance.
   Here, those are commands related to backups, killing processes, the
   printing system, shutting down the system, and any commands in the
   directory /usr/oper/bin/.  Note that one command in the DUMPS
   Cmnd_Alias includes a sha224 digest, /home/operator/bin/start_backups.
   This is because the directory containing the script is writable by the
   operator user.  If the script is modified (resulting in a digest
   mismatch) it will no longer be possible to run it via sudo.

You would need to decide what commands make sense in your case, but I believe you've noted that this is ok for you.

It's fairly old, but you may find Secure Automation: Achieving Least Privilege with SSH, Sudo and Setuid useful in this kind of situation. It goes into many privilege-escalation attacks that you should consider when trying to implement a limited sudo.