Procedure
Following guidelines should be followed to initially set up a target when introducing SUDO Controls:
-
Add a dedicated OS group & user - for example
sudoadmin- who will be the owner of the repository. The administrative account does not a password (so lock it) but does require a valid shell:
[client]$ groupadd sudoadmin
[client]$ useradd -g sudoadmin sudoadmin- Pre-populate the the SUDO Controls *local repository. *You can use following shell script for this:
#!/bin/sh
mkdir -p /etc/sudo_controls/holding
mkdir -p /etc/sudo_controls/sudoers.d
chown root:sys /etc/sudo_controls
chmod 755 /etc/sudo_controls
chown root:sudoadmin /etc/sudo_controls/holding
chmod 2775 /etc/sudo_controls/holding
chown root:sys /etc/sudo_controls/sudoers.d
chmod 755 /etc/sudo_controls/sudoers.d
touch /etc/sudo_controls/holding/grants
touch /etc/sudo_controls/holding/alias
touch /etc/sudo_controls/holding/fragments
touch /etc/sudo_controls/holding/manage_sudo.conf
touch /etc/sudo_controls/holding/update_sudo.conf
touch /etc/sudo_controls/holding/manage_sudo.sh
touch /etc/sudo_controls/holding/update_sudo.pl
chown root:sudoadmin /etc/sudo_controls/holding/grants
chown root:sudoadmin /etc/sudo_controls/holding/alias
chown root:sudoadmin /etc/sudo_controls/holding/fragments
chown root:sudoadmin /etc/sudo_controls/holding/manage_sudo.conf
chown root:sudoadmin /etc/sudo_controls/holding/update_sudo.conf
chmod 660 /etc/sudo_controls/holding/grants
chmod 660 /etc/sudo_controls/holding/alias
chmod 660 /etc/sudo_controls/holding/fragments
chmod 660 /etc/sudo_controls/holding/manage_sudo.conf
chmod 660 /etc/sudo_controls/holding/update_sudo.conf
chown root:sudoadmin /etc/sudo_controls/holding/manage_sudo.sh
chown root:sudoadmin /etc/sudo_controls/holding/update_sudo.pl
chmod 770 /etc/sudo_controls/holding/manage_sudo.sh
chmod 770 /etc/sudo_controls/holding/update_sudo.pl
touch /var/log/manage_sudo.sh.log
chown root:sudoadmin /var/log/manage_sudo.sh.log
chmod 664 /var/log/manage_sudo.sh.log-
Copy & add the SSH public key of the
sudoadminaccount to theauthorized_keyson the client. You can also use SSH Controls for this purpose:
[client]$ cat sudoadmin.pub >> /home/sudoadmin/.ssh/authorized_keys-
Test that you can connect as the
sudoadminuser from the SUDO master onto the client host WITHOUT specifying a passphrase (think of the required SSH agent):
[master]$ ssh sudoadmin@client-
Update the master configuration files so that the client host is referenced in each of the files. You should have at least one entry for the client host in the
targetsfile.
-
Perform an initial distribution from the SUDO Controls master using the
sudoadminaccount & key and specifying a manual list of targets. Make sure the sync finishes without errors:
[master]$ /etc/sudo_controls/manage_sudo.sh --copy --targets=<client>At this point you should have a working set of SUDO Controls on the target client host, ready to be activated but not yet active. In the next couple of steps we will activate the SUDO Controls:
- Add the two pair of required SUDO rules on the client host so that update_sudo.pl script can be executed with root privileges:
[client]# visudo -f /etc/sudoersFollowing rule in /etc/sudoers IS ONLY required for the initial client push. Either add a snippet for the sudoadmin user:
# sudo_controls
sudo_controls_C=/etc/sudo_controls/holding/update_sudo.pl, /etc/sudo_controls/holding/manage_sudo.sh
sudoadmin ALL=(root) NOPASSWD: sudo_controls_C-OR- for the sudoadmin *group *(if you are managing SUDO Controls with multiple people and individual accounts):
# sudo_controls
sudo_controls_C=/etc/sudo_controls/holding/update_sudo.pl, /etc/sudo_controls/holding/manage_sudo.sh
%sudoadmin ALL=(root) NOPASSWD: sudo_controls_CFollowing rule in /etc/sudoers IS PERMANENTLY required for the update_sudo.pl script to work correctly:
# sudo_controls
#includedir /etc/sudo_controls/sudoers.d
The hash (#) MUST exist in front of the includedir directive.
Add following default directives for HP-UX hosts:
# Defaults specification
Defaults logfile=/var/adm/sudo/sudo.log
Defaults timestampdir=/var/adm/sudoPlease also read the FAQ on DAC considerations.
- Perform an initial activation of the SUDO Controls, locally on the client host:
[client]$ sudo /etc/sudo_controls/holding/manage_sudo.sh --update-or- with preview first:
[client]$ sudo /etc/sudo_controls/update_sudo.pl --verbose --preview
[client]$ sudo /etc/sudo_controls/update_sudo.pl --verbose-
Add the client host to the
targetsfile on the SUDO Controls master:
[master]$ echo "<client>" >>/etc/sudo_master/targets- Do a second, remote distribute & apply from the SUDO Controls master (as a double-check):
[master]$ /etc/sudo_master/manage_sudo.sh --copy --targets=<client>
[master]$ /etc/sudo_master/manage_sudo.sh --apply --targets=<client>You now have SUDO Controls fully configured and active on your client host. As a final step, you may optionally remove all old & temporary rules from /etc/sudoers and /etc/sudoers.d/* files on the client host.
Example repository
Following is a listing of what a SUDO client repository may look like:
[client]# ls -lR /etc/sudo_controls
drwxrwsr-x 2 root sudoadmin 1024 Feb 5 11:00 holding
drwxr-xr-x 2 root sys 1024 Apr 10 11:20 sudoers.d
./holding:
-rw-rw---- 1 root sudoadmin 4384 Apr 10 11:20 alias
-rw-rw---- 1 root sudoadmin 12832 Apr 10 11:20 fragments
-rw-rw---- 1 root sudoadmin 3311 Apr 10 11:20 grants
-rw-rw---- 1 root sudoadmin 676 Apr 10 11:20 manage_sudo.conf
-rwxrwx--- 1 root sudoadmin 38478 Apr 10 11:20 manage_sudo.sh
-rw-rw---- 1 root sudoadmin 926 Apr 10 11:20 update_sudo.conf
-rwxrwx--- 1 root sudoadmin 24683 Apr 10 11:20 update_sudo.pl
./sudoers.d:
-r--r----- 1 bin bin 229 Apr 10 11:20 root_netstat
-r--r----- 1 bin bin 134 Apr 10 11:20 root_lsof
-r--r----- 1 bin bin 122 Apr 10 11:20 root_backup The files contained in the sudoers.d directory must have 0440 permissions and be owned by bin:bin (HP-UX only)
Comments