[sudo-users] Parsing the sudoers file

seph seph at directionless.org
Mon Sep 16 09:48:30 MDT 2013

For my auditing requirements, I went the other way. sudoers was
generated by my configuration management system, which had a clear set
of of auditable rules. 


On Mon, Sep 16, 2013, at 10:50, Tim Bradshaw wrote:
> I suspect this is a common question: sorry if so.
> I need to be able to parse the sudoers file to generate things like lists
> of who can do what where, for the usual compliance reasons.
> This seems to be surprisingly hard: there are a couple of scripts out
> there (one in Perl and one in Python that I have found), but I'm not at
> all sure I'd trust them to actually get the right answer.  I'm kind of
> realising that the people I'm doing this for do not care what the right
> answer is: what matters to people is convincing some auditor *not*
> actually checking things actually are secure.  But I care.
> The best approach I can see to this would be to modify testsudoers to do
> this (it currently can take a host argument, I think I need to let this
> be some kind of wildcard).  I'm still a bit alarmed that, although it
> uses the same grammar, its check seems to be independent of sudo's, but I
> may not understand the code.
> But before I do this: does anyone have a better answer?  This must be a
> common requirement, surely?
> Thanks
> --tim
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users

  seph at directionless.org

More information about the sudo-users mailing list