[sudo-workers] auditing of policy evaluated on sudoers

Rohit Bansal banro21 at gmail.com
Wed May 15 16:13:40 MDT 2019

Hi Folks,

What is the best way to log a request in the backlog to sudo future
enhancements roadmap?

It would be best to log in the syslog entry the LDAP group which provided
the sudo without no additional configuration?


On Fri, May 10, 2019 at 11:19 AM Rohit Bansal <banro21 at gmail.com> wrote:

> Hi Todd,
> Thanks a lot.
> What i am looking for is dynamic runtime information on what group policy
> in souders let the user execute sudo. As the groups may be added into
> sudoers overtime and group memberships changes (our groups are managed in
> LDAP), a static cvtsudoers run may not be useful.
> Is there a way to get the sudoers file name and the line number of the
> policy currently? That may satisfy my need by dumping that line entry as a
> separate task
> Regards,
> Rohit
> On Fri, May 10, 2019 at 10:36 AM Todd C. Miller <Todd.Miller at sudo.ws>
> wrote:
>> On Fri, 10 May 2019 06:21:39 -0700, Rohit Bansal wrote:
>> > Is there a way to find out which policy and group was evaluated to get a
>> > user capability to sudo.
>> Not currently.  By the time a match is made, the details of what
>> specifically matched in the entry are no longer around.  It would
>> be possible to log the file and line number of the rule that matches
>> but even that may not tell you what you want to know.
>> > We have 100+ different groups which give sudo to root and other
>> accounts.
>> > The intention is to audit which group is being used when sudo is run by
>> > 100s of user on regular basis.
>> >
>> > I tried running sudo in debug mode. I was hoping to get the egid as the
>> > group to reflect the information. However i could not find any ways to
>> > capture that information from logs.
>> The debug info does include information about user group matches
>> when you log nss at debug but I don't know if that will give you
>> what you want.
>> > Any help would be appreciated. If there is a patch which is available to
>> > apply which get that information, that would also be helpful.
>> If what you are tying to determine is which groups grant a specific
>> user (or list of users) sudo permissions, the cvtsudoers utility
>> from recent sudo versions can probably help answer those questions.
>> For example, to display matching rules for user millert:
>> $ cvtsudoers -M -m user=millert -f sudoers -e -s defaults /etc/sudoers
>> %wheel ALL = (ALL) ALL
>> The output format can also be set to JSON or LDIF.
>>  - todd
> --
> Rohit Bansal

Rohit Bansal

More information about the sudo-workers mailing list