[sudo-users] Parsing the sudoers file
seph
seph at directionless.org
Mon Sep 16 09:48:30 MDT 2013
For my auditing requirements, I went the other way. sudoers was
generated by my configuration management system, which had a clear set
of of auditable rules.
seph
On Mon, Sep 16, 2013, at 10:50, Tim Bradshaw wrote:
> I suspect this is a common question: sorry if so.
>
> I need to be able to parse the sudoers file to generate things like lists
> of who can do what where, for the usual compliance reasons.
>
> This seems to be surprisingly hard: there are a couple of scripts out
> there (one in Perl and one in Python that I have found), but I'm not at
> all sure I'd trust them to actually get the right answer. I'm kind of
> realising that the people I'm doing this for do not care what the right
> answer is: what matters to people is convincing some auditor *not*
> actually checking things actually are secure. But I care.
>
> The best approach I can see to this would be to modify testsudoers to do
> this (it currently can take a host argument, I think I need to let this
> be some kind of wildcard). I'm still a bit alarmed that, although it
> uses the same grammar, its check seems to be independent of sudo's, but I
> may not understand the code.
>
> But before I do this: does anyone have a better answer? This must be a
> common requirement, surely?
>
> Thanks
>
> --tim
>
>
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
--
seph
seph at directionless.org
More information about the sudo-users
mailing list