[sudo-workers] Feature request
Eric J. Wisti
sudo-list at wisti.com
Tue Mar 17 14:08:59 EDT 2009
I have worked on a number of PCI/SOX/GLBA audits and sudo is always a pain
to report on. I think a reporting binary or a root only switches on sudo
would be immensely helpful. I am currently trying to write perl code to
parse sudoers and report on a class of users which have either (ALL) ALL
or (root) ALL privs, along with a couple of other medium risk commands.
It would be nice to be able to have a standard list of high, medium and
low root equivalence and be able to report on them. Things like (ALL) ALL
and bin/su - root would be in the high class, medium would be things with
shell escapes, vi, less, low could be combination of chown and chmod. The
base list could be built-in and have a section (or another config file)
for additional commands to audit.
Another nice to have, would be to test if a user has access to a command.
sudo --check-user john 'su - root' or sudo --check-all 'su - root'
to list all users (or groups) that have access to 'su - root'. These
would use the same code that is used to evaluate user running sudo, except
that it would use the requested user rather than the current user. Again,
a root only switch.
I guess the above could also be a type of right that could be assigned in
sudoers as well.
More information about the sudo-workers