Backing up SUDO Controls configuration files
When making changes to any of the standard SUDO Controls configuration files on the SUDO master:
/etc/sudo_master/grants/etc/sudo_master/alias/etc/sudo_master/targets/etc/sudo_master/fragments.d/*
Make a backup copy first in the designated directory:
[master]$ /etc/sudo_master/manage_sudo.sh --backup
INFO: *** start of manage_sudo.sh [--backup] ***
INFO: logging takes places in /var/log/manage_sudo.sh.log
INFO: runtime info: LOCAL_DIR is set to: /etc/sudo_master
INFO: ACTION: backing up the current configuration & fragments files ...
INFO: resulting backup file is: /etc/sudo_master/backup/backup_repo_20141217-1202.tar.gz
INFO: finished backing up the current configuration & fragments files
INFO: performing cleanup ...Previewing a change in grants and alias mappings
Making a change to the SUDO Controls configuration can have a large impact in terms of granted access on the client landscape. You can preview the potential effect of your change by requesting a full dump of the configured name space or access rules.
You can do this on the SUDO master server or any client with:
[master]$ /etc/sudo_master/manage_sudo.sh --preview-globalThe info presented will be 2-element tuples showing: WHICH rules go WHERE:
INFO: display GLOBAL configuration ....
root_netstat|host1
root_netstat|host2
root_netstat|host3
root_netstat|host4
<…>
root_lsof|host1
root_lsof|host2
<snip>By simply ‘grepping’ on the output you can apply filters.
Resolving (expanding) aliases
When using nested groups (aliases) it may be difficult to track what the alias will finally expand to. Use the --resolve-alias command-line option to manually request alias resolution.
Example alias file:
@acme_hosts : acme1.com,acme2.com,acme3.com,@acme_web
@acme_web : acme5.come,acme7.com,@acme_db
@acme_db : acme8.com,acme9.comYou can request manually resolution of @acme_hosts with:
[master]$ /etc/ssh_master/manage_ssh.sh --resolve-alias --alias=@acme_hosts
INFO: ACTION: resolving alias @acme_hosts ...
INFO: alias @acme_hosts resolves to: acme1.com acme2.com acme3.com acme5.come acme7.com acme8.com acme9.com
INFO: finished resolving aliasOr the @acme_db alias:
[master]$ /etc/ssh_master/manage_ssh.sh --resolve-alias --alias=@acme_db
INFO: alias @acme_db resolves to: acme8.com acme9.com
INFO: finished resolving alias
INFO: performing cleanup ...Manually expanding aliases works on both master and client nodes.
Finding errors in --copy and --update operations
Since SUDO Controls will sync & update its clients in parallel via background jobs, it is not easy to always see a potential problem and correlate it to its correct host of origin.
Following command will siphon off the verbose output into a separate log file which can be used for inspection:
[master]$ /etc/sudo_master/manage_sudo.sh --copy 2>&1 | tee /tmp/copy.log
[master]$ /etc/sudo_master/manage_sudo.sh --apply 2>&1 | tee /tmp/apply.logThen use following pattern to look for problems:
[master]$ grep -i -E -e 'WARN|ERROR|failed|denied|tty' /tmp/copy.log
[master]$ grep -i -E -e 'WARN|ERROR|failed|denied|tty' /tmp/apply.logFix any potential problems and clean up the temporary log file afterwards:
[master]$ rm –f /tmp/copy.log
[master]$ rm –f /tmp/apply.logAlternatively you can also check the return code of the different sub-commands. Any return code different from 0 will be indicative of an error or errors:
[master]$ grep -E -e 'RC=[^0]' /tmp/copy.log
WARN: failed to transfer /etc/sudo_master/sudo_master/grants to client1:/etc/sudo_controls/holding [RC=255]
WARN: failed to transfer /etc/sudo_master/sudo_master/grants to client2:/etc/sudo_controls/holding [RC=255]
WARN: failed to transfer ./manage_sudo.sh to client1:/etc/sudo_controls/holding [RC=255]
WARN: failed to transfer ./manage_sudo.sh to client2:/etc/sudo_controls/holding [RC=255]
WARN: failed to transfer ./manage_sudo.conf to client1:/etc/sudo_controls/holding [RC=255]
WARN: failed to transfer ./manage_sudo.conf to client2:/etc/sudo_controls/holding [RC=255]
WARN: failed to transfer /var/tmp/distribute2host.14428/fragments to client1:/etc/sudo_controls/holding [RC=255]
WARN: failed to transfer /var/tmp/distribute2host.2601/fragments to client2:/etc/sudo_controls/holding [RC=255]
WARN: child process 31283 exited [RC=7]
WARN: child process 31223 exited [RC=7]Following WARning(s) may be ignored:
Warning: Permanently added … (RSA) to the list of known hostsOther messages that may ignored are the ones caused by the sudo tool itself (locally on each client):
Last successful login: Mon Jan 19 08:50:15 MET 2015
Last authentication failure: Mon Aug 25 23:18:02 METDST 2014 host1
Last successful login: Mon Jan 19 08:50:15 MET 2015
Last authentication failure: Fri Sep 5 20:25:45 METDST 2014 host2The following warning message indicates that the xauth utility is not installed on the client host:
X11 forwarding request failed on channel 0
Comments