[sudo-users] How to prevent editing sudoers-file

Stephen Carville stephen at totalflood.com
Sun Nov 26 19:47:22 EST 2006


Michael Potter wrote:
> Claude,
> 
> This question comes up in many forms many times.
> 
> This comes down to that you are trying to enumerate all the bad things that
> a user could do and put in a rule to avoid them.  That strategy does not
> work.  There are many other ways that your user could do malious things (and
> not be logged).

One thing I do is to edit my sudoers file on a workstations that only 
"sudo admins" have access to.  When the edits are done, a script is run 
  to push the modified sudoers file to all the machines that use it. 
This script also writes out a file with the new sudoers file md5sum in 
it.  A cron job run regularly that checks the md5sum for suders on all 
of the machine and it if there is difference, notifies the sudo admins.

-- 
Stephen Carville <stephen at totalflood.com>
Unix and Network Admin
Nationwide Totalflood
6033 W. Century Blvd
Los Angeles, CA 90045
310-342-3602



More information about the sudo-users mailing list