[sudo-users] Parsing the sudoers file

[Shawn McMahon]

On Mon, 2013-09-16 at 15:50 +0100, Tim Bradshaw wrote:
> I suspect this is a common question: sorry if so.
> 
> I need to be able to parse the sudoers file to generate things like lists of who can do what where, for the usual compliance reasons.
> 
> This seems to be surprisingly hard: there are a couple of scripts out there (one in Perl and one in Python that I have found), but I'm not at all sure I'd trust them to actually get the right answer.  I'm kind of realising that the people I'm doing this for do not care what the right answer is: what matters to people is convincing some auditor *not* actually checking things actually are secure.  But I care.
> 
> The best approach I can see to this would be to modify testsudoers to do this (it currently can take a host argument, I think I need to let this be some kind of wildcard).  I'm still a bit alarmed that, although it uses the same grammar, its check seems to be independent of sudo's, but I may not understand the code.
> 
> But before I do this: does anyone have a better answer?  This must be a common requirement, surely?

I've never been happy with the output of any script I've used for this.
Generally I just use "sudo -U <user> -ll" and send the auditors that,
for whichever user they're taking issue with.