[sudo-workers] auditing of policy evaluated on sudoers

Todd C. Miller Todd.Miller at sudo.ws
Fri May 10 11:36:38 MDT 2019

On Fri, 10 May 2019 06:21:39 -0700, Rohit Bansal wrote:

> Is there a way to find out which policy and group was evaluated to get a
> user capability to sudo.

Not currently.  By the time a match is made, the details of what
specifically matched in the entry are no longer around.  It would
be possible to log the file and line number of the rule that matches
but even that may not tell you what you want to know.

> We have 100+ different groups which give sudo to root and other accounts.
> The intention is to audit which group is being used when sudo is run by
> 100s of user on regular basis.
> I tried running sudo in debug mode. I was hoping to get the egid as the
> group to reflect the information. However i could not find any ways to
> capture that information from logs.

The debug info does include information about user group matches
when you log nss at debug but I don't know if that will give you
what you want.

> Any help would be appreciated. If there is a patch which is available to
> apply which get that information, that would also be helpful.

If what you are tying to determine is which groups grant a specific
user (or list of users) sudo permissions, the cvtsudoers utility
from recent sudo versions can probably help answer those questions.

For example, to display matching rules for user millert:

$ cvtsudoers -M -m user=millert -f sudoers -e -s defaults /etc/sudoers
%wheel ALL = (ALL) ALL

The output format can also be set to JSON or LDIF.

 - todd

More information about the sudo-workers mailing list