[sudo-workers] Feature request

Eric J. Wisti sudo-list at wisti.com
Tue Mar 17 14:08:59 EDT 2009

I have worked on a number of PCI/SOX/GLBA audits and sudo is always a pain 
to report on. I think a reporting binary or a root only switches on sudo 
would be immensely helpful. I am currently trying to write perl code to 
parse sudoers and report on a class of users which have either (ALL) ALL 
or (root) ALL privs, along with a couple of other medium risk commands.

It would be nice to be able to have a standard list of high, medium and 
low root equivalence and be able to report on them. Things like (ALL) ALL 
and bin/su - root would be in the high class, medium would be things with 
shell escapes, vi, less, low could be combination of chown and chmod. The 
base list could be built-in and have a section (or another config file) 
for additional commands to audit.

Another nice to have, would be to test if a user has access to a command. 
sudo --check-user john 'su - root' or sudo --check-all 'su - root' 
to list all users (or groups) that have access to 'su - root'. These 
would use the same code that is used to evaluate user running sudo, except 
that it would use the requested user rather than the current user. Again, 
a root only switch.

I guess the above could also be a type of right that could be assigned in 
sudoers as well.

Eric Wisti

More information about the sudo-workers mailing list