Well that depends on whether if you are administrating SUDO Controls using the sudoadmin account only or using multiple accounts. In the former case the following DAC considerations do not apply. However you may want to opt to administrator SUDO Controls with multiple people each having their own account. This is possible on the condition that these accounts are part of the sudoadmin group on both SSH master & client hosts. In this case, the following DAC considerations do apply:
When in doubt about permissions of the files in the local SUDO Controls repositories (not the SUDO master), you can use the --fix-local command to reset permissions:
[client]$ /etc/sudo_controls/manage_sudo.sh --fix-local --fix-dir=/etc/sudo_controls [--fix-user=sudoadmin]
There is a corresponding --fix-remote command as well that can be executed on the SUDO master.
The manage_sudo.sh script writes its actions – unless you specify the --no-log parameter – into the /var/log directory. This is valid for both SSH master and clients.
The update_sudo.pl script does not perform any logging but will do so when called through the manage_sudo.sh script.
SUDO Controls will re-label the public keys files under /etc/sudo_controls/sudoers.d as follows upon each update:
This will make sure that SUDO can access the rules at all times.
Nope. You should always make sure that files are correctly transferred before applying them.
But of course, nothing prevents you from running:
[master]$ /etc/ssh_master/manage_sudo.sh --copy && /etc/ssh_master/manage_sudo.sh --update
But: CAVEAT EMPTOR :-)
On the SUDO master the /etc/sudo_master/fragments.d directory represents the central repository of all available SUDO rules. These rules may be stored in rule group files, organized per department, application or team etc. These rules do NOT provide any privileged access on the SUDO master and should only be manipulated by the SUDO Controls maintainers.
The client’s /etc/sudo_controls/sudoers.d directory represents the managed location of the SUDO rules files which will be read by the sudo tool when invoked to provide elevated privileges on the client system. These files should never be manipulated manually.
These are configuration files that can be used to define settings for the manage_sudo.sh script. The manage_sudo.conf can be used as a global configuration file whereas manage_sudo.conf.local can serve as a local override. The former will also be distributed by SUDO Controls, the latter not.
These are configuration files that can be used to define settings for the update_sudo.pl script. The update_sudo.conf can be used as a global configuration file whereas update_sudo.conf.local can serve as a local override. The former will also be distributed by SUDO Controls, the latter not.