[sudo-users] Parsing the sudoers file

Shawn McMahon syberghost at gmail.com
Tue Sep 24 07:13:16 MDT 2013


On Tue, Sep 24, 2013 at 6:14 AM, Tim Bradshaw <tfb at tfeb.org> wrote:

> On 23 Sep 2013, at 23:29, Kevin Chadwick wrote:
>
> > Surely grep and hostname perhaps with a ssh logged into all systems at
> > once and a little sorting of the produced file on a networked filesystem
> > afterwards is all that you need?
>
> That would be nice, so long as there weren't too many machines, there was
> a list of what the machines were, and they were all accessible from a
> single place.  None of those things are true in my case unfortunately.
>
> This sounds like I'm being sarcastic. It's not meant to be, sorry:  I
> dream of working somewhere where the IT infrastructure doesn't resemble the
> decaying fragments of a collapsed civilisation, but I realise I never will.


Well, true, but to prepare for an audit you have to solve those problems
anyway, and to respond to an audit you're going to have a smaller sample of
servers to validate. You're going to be asked to prove that THOSE SERVERS
meet your controls, and that makes the problem much more manageable.

Throw in something like Ansible or Puppet, or even just xapply or
ClusterSSH even, and you're well on your way to making this doable, if not
simple.


More information about the sudo-users mailing list