[sudo-workers] auditing of policy evaluated on sudoers

Rohit Bansal banro21 at gmail.com
Fri May 10 12:19:14 MDT 2019

Hi Todd,

Thanks a lot.

What i am looking for is dynamic runtime information on what group policy
in souders let the user execute sudo. As the groups may be added into
sudoers overtime and group memberships changes (our groups are managed in
LDAP), a static cvtsudoers run may not be useful.

Is there a way to get the sudoers file name and the line number of the
policy currently? That may satisfy my need by dumping that line entry as a
separate task


On Fri, May 10, 2019 at 10:36 AM Todd C. Miller <Todd.Miller at sudo.ws> wrote:

> On Fri, 10 May 2019 06:21:39 -0700, Rohit Bansal wrote:
> > Is there a way to find out which policy and group was evaluated to get a
> > user capability to sudo.
> Not currently.  By the time a match is made, the details of what
> specifically matched in the entry are no longer around.  It would
> be possible to log the file and line number of the rule that matches
> but even that may not tell you what you want to know.
> > We have 100+ different groups which give sudo to root and other accounts.
> > The intention is to audit which group is being used when sudo is run by
> > 100s of user on regular basis.
> >
> > I tried running sudo in debug mode. I was hoping to get the egid as the
> > group to reflect the information. However i could not find any ways to
> > capture that information from logs.
> The debug info does include information about user group matches
> when you log nss at debug but I don't know if that will give you
> what you want.
> > Any help would be appreciated. If there is a patch which is available to
> > apply which get that information, that would also be helpful.
> If what you are tying to determine is which groups grant a specific
> user (or list of users) sudo permissions, the cvtsudoers utility
> from recent sudo versions can probably help answer those questions.
> For example, to display matching rules for user millert:
> $ cvtsudoers -M -m user=millert -f sudoers -e -s defaults /etc/sudoers
> %wheel ALL = (ALL) ALL
> The output format can also be set to JSON or LDIF.
>  - todd

Rohit Bansal

More information about the sudo-workers mailing list