[sudo-users] Parsing the sudoers file
JR.Aquino at citrix.com
Mon Sep 16 10:24:58 MDT 2013
On Sep 16, 2013, at 7:50 AM, Tim Bradshaw wrote:
I suspect this is a common question: sorry if so.
I need to be able to parse the sudoers file to generate things like lists of who can do what where, for the usual compliance reasons.
This seems to be surprisingly hard: there are a couple of scripts out there (one in Perl and one in Python that I have found), but I'm not at all sure I'd trust them to actually get the right answer. I'm kind of realising that the people I'm doing this for do not care what the right answer is: what matters to people is convincing some auditor *not* actually checking things actually are secure. But I care.
The best approach I can see to this would be to modify testsudoers to do this (it currently can take a host argument, I think I need to let this be some kind of wildcard). I'm still a bit alarmed that, although it uses the same grammar, its check seems to be independent of sudo's, but I may not understand the code.
But before I do this: does anyone have a better answer? This must be a common requirement, surely?
If you have a lot of hosts and a lot of users in sudo, you might want to consider centralizing sudo into ldap.
FreeIPA has an excellent Sudo integration(www.freeipa.org<http://www.freeipa.org>), and I use it to dump rules based on groups of critical hosts, etc.
Answering questions like:
Which groups of users have sudo rights to these groups of servers, and what commands are they allowed to run?
Or, show me all of the rules that give ALL cmds.
Compliance can start to be a huge effort once you start getting more and more servers with mixed access of folks admining them.
"You cannot hope to secure that which you do not first understand"
Senior Information Security Specialist, Technical Operations
T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365
GIAC Certified Exploit Researcher and Advanced Penetration Tester |
GIAC WebApplication Penetration Tester | GIAC Certified Incident Handler
JR.Aquino at citrix.com<mailto:JR.Aquino at citrix.com>
More information about the sudo-users