[sudo-users] How to prevent editing sudoers-file
stephen at totalflood.com
Sun Nov 26 19:47:22 EST 2006
Michael Potter wrote:
> This question comes up in many forms many times.
> This comes down to that you are trying to enumerate all the bad things that
> a user could do and put in a rule to avoid them. That strategy does not
> work. There are many other ways that your user could do malious things (and
> not be logged).
One thing I do is to edit my sudoers file on a workstations that only
"sudo admins" have access to. When the edits are done, a script is run
to push the modified sudoers file to all the machines that use it.
This script also writes out a file with the new sudoers file md5sum in
it. A cron job run regularly that checks the md5sum for suders on all
of the machine and it if there is difference, notifies the sudo admins.
Stephen Carville <stephen at totalflood.com>
Unix and Network Admin
6033 W. Century Blvd
Los Angeles, CA 90045
More information about the sudo-users