Table of content

www.kudos.be

Configuring a client host

Following guidelines should be followed to initially set up a target when introducing SUDO Controls:

  1. Add a dedicated OS group & user - for example sudoadmin - who will be the owner of the repository. The administrative account does not a password (so lock it) but does require a valid shell:

	[client]$ groupadd sudoadmin
	[client]$ useradd -g sudoadmin sudoadmin

  1. Pre-populate the the SUDO Controls local repository. You can use following shell script for this:

	#!/bin/sh
	mkdir -p /etc/sudo_controls/holding
	mkdir -p /etc/sudo_controls/sudoers.d
	chown root:sys /etc/sudo_controls
	chmod 755 /etc/sudo_controls
	chown root:sudoadmin /etc/sudo_controls/holding
	chmod 2775 /etc/sudo_controls/holding
	chown root:sys /etc/sudo_controls/sudoers.d
	chmod 755 /etc/sudo_controls/sudoers.d
	touch /etc/sudo_controls/holding/grants 
	touch /etc/sudo_controls/holding/alias
	touch /etc/sudo_controls/holding/fragments
	touch /etc/sudo_controls/holding/manage_sudo.conf
	touch /etc/sudo_controls/holding/update_sudo.conf
	touch /etc/sudo_controls/holding/manage_sudo.sh 
	touch /etc/sudo_controls/holding/update_sudo.pl
	chown root:sudoadmin /etc/sudo_controls/holding/grants 
	chown root:sudoadmin /etc/sudo_controls/holding/alias
	chown root:sudoadmin /etc/sudo_controls/holding/fragments
	chown root:sudoadmin /etc/sudo_controls/holding/manage_sudo.conf
	chown root:sudoadmin /etc/sudo_controls/holding/update_sudo.conf
	chmod 660 /etc/sudo_controls/holding/grants 
	chmod 660 /etc/sudo_controls/holding/alias
	chmod 660 /etc/sudo_controls/holding/fragments
	chmod 660 /etc/sudo_controls/holding/manage_sudo.conf
	chmod 660 /etc/sudo_controls/holding/update_sudo.conf
	chown root:sudoadmin /etc/sudo_controls/holding/manage_sudo.sh 
	chown root:sudoadmin /etc/sudo_controls/holding/update_sudo.pl
	chmod 770 /etc/sudo_controls/holding/manage_sudo.sh 
	chmod 770 /etc/sudo_controls/holding/update_sudo.pl
	touch /var/log/manage_sudo.sh.log
	chown root:sudoadmin /var/log/manage_sudo.sh.log
	chmod 664 /var/log/manage_sudo.sh.log

  1. Copy & add the SSH public key of the sudoadmin account to the authorized_keys on the client. You can also use SSH Controls for this purpose:

	[client]$ cat sudoadmin.pub >> /home/sudoadmin/.ssh/authorized_keys

  1. Test that you can connect as the sudoadmin user from the SUDO master onto the client host WITHOUT specifying a passphrase (think of the required SSH agent):

	[master]$ ssh sudoadmin@client

  1. Update the master configuration files so that the client host is referenced in each of the files. You should have at least one entry for the client host in the targets file.

  1. Perform an initial distribution from the SUDO Controls master using the sudoadmin account & key and specifying a manual list of targets. Make sure the sync finishes without errors:

[master]$ /etc/sudo_controls/manage_sudo.sh --copy --targets=<client>

At this point you should have a working set of SUDO Controls on the target client host, ready to be activated but not yet active. In the next couple of steps we will activate the SUDO Controls:

  1. Add the two pair of required SUDO rules on the client host so that update_sudo.pl script can be executed with root privileges:

	[client]# visudo -f /etc/sudoers

Following rule in /etc/sudoers IS ONLY required for the initial client push. Either add a snippet for the sudoadmin user :

	# sudo_controls
	sudo_controls_C=/etc/sudo_controls/holding/update_sudo.pl, /etc/sudo_controls/holding/manage_sudo.sh
	sudoadmin ALL=(root) NOPASSWD: sudo_controls_C

-OR- for the sudoadmin group (if you are managing SUDO Controls with multiple people and individual accounts):

	# sudo_controls
	sudo_controls_C=/etc/sudo_controls/holding/update_sudo.pl, /etc/sudo_controls/holding/manage_sudo.sh
	%sudoadmin ALL=(root) NOPASSWD: sudo_controls_C

Following rule in /etc/sudoers IS PERMANENTLY required for the update_sudo.pl script to work correctly:

	# sudo_controls
	#includedir /etc/sudo_controls/sudoers.d

Note 1: the hash (#) MUST exist in front of the includedir directive.
Note 2: add following default directives for HP-UX hosts:

	# Defaults specification
	Defaults logfile=/var/adm/sudo/sudo.log
	Defaults timestampdir=/var/adm/sudo

Please also read the FAQ on DAC considerations.

  1. Perform an initial activation of the SUDO Controls, locally on the client host:

	[client]$ sudo /etc/sudo_controls/holding/manage_sudo.sh --update

-or- with preview first:

	[client]$ sudo /etc/sudo_controls/update_sudo.pl --verbose --preview

	[client]$ sudo /etc/sudo_controls/update_sudo.pl --verbose

  1. Add the client host to the targets file on the SUDO Controls master:

	[master]$ echo "<client>" >>/etc/sudo_master/targets

  1. Do a second, remote distribute & apply from the SUDO Controls master (as a double-check):

	[master]$ /etc/sudo_master/manage_sudo.sh --copy --targets=<client>

	[master]$ /etc/sudo_master/manage_sudo.sh --apply --targets=<client>

You now have SUDO Controls fully configured and active on your client host. As a final step, you may optionally remove all old & temporary rules from /etc/sudoers and /etc/sudoers.d/* files on the client host.

Example repository

Following is a listing of what a SUDO client repository may look like:

[client]# ls -lR /etc/sudo_controls

drwxrwsr-x   2 root       sudoadmin     1024 Feb  5 11:00 holding
drwxr-xr-x   2 root       sys           1024 Apr 10 11:20 sudoers.d

./holding:

-rw-rw----   1 root       sudoadmin      4384 Apr 10 11:20 alias
-rw-rw----   1 root       sudoadmin     12832 Apr 10 11:20 fragments
-rw-rw----   1 root       sudoadmin      3311 Apr 10 11:20 grants
-rw-rw----   1 root       sudoadmin       676 Apr 10 11:20 manage_sudo.conf
-rwxrwx---   1 root       sudoadmin     38478 Apr 10 11:20 manage_sudo.sh
-rw-rw----   1 root       sudoadmin       926 Apr 10 11:20 update_sudo.conf
-rwxrwx---   1 root       sudoadmin     24683 Apr 10 11:20 update_sudo.pl

./sudoers.d:

-r--r-----   1 bin        bin            229 Apr 10 11:20 root_netstat
-r--r-----   1 bin        bin            134 Apr 10 11:20 root_lsof
-r--r-----   1 bin        bin            122 Apr 10 11:20 root_backup

Note: the files contained in the sudoers.d directory must have 0440 permissions and be owned by bin:bin (HP-UX only)




Backlinks: Projects:SUDO Controls Projects:SUDO Controls:Troubleshooting tips