Procedure

Following guidelines should be followed to initially set up a target when introducing SUDO Controls:

  1. Add a dedicated OS group & user - for example sudoadmin - who will be the owner of the repository. The administrative account does not a password (so lock it) but does require a valid shell:
[client]$ groupadd sudoadmin
[client]$ useradd -g sudoadmin sudoadmin
  1. Pre-populate the the SUDO Controls *local repository. *You can use following shell script for this:
#!/bin/sh
mkdir -p /etc/sudo_controls/holding
mkdir -p /etc/sudo_controls/sudoers.d
chown root:sys /etc/sudo_controls
chmod 755 /etc/sudo_controls
chown root:sudoadmin /etc/sudo_controls/holding
chmod 2775 /etc/sudo_controls/holding
chown root:sys /etc/sudo_controls/sudoers.d
chmod 755 /etc/sudo_controls/sudoers.d
touch /etc/sudo_controls/holding/grants
touch /etc/sudo_controls/holding/alias
touch /etc/sudo_controls/holding/fragments
touch /etc/sudo_controls/holding/manage_sudo.conf
touch /etc/sudo_controls/holding/update_sudo.conf
touch /etc/sudo_controls/holding/manage_sudo.sh
touch /etc/sudo_controls/holding/update_sudo.pl
chown root:sudoadmin /etc/sudo_controls/holding/grants
chown root:sudoadmin /etc/sudo_controls/holding/alias
chown root:sudoadmin /etc/sudo_controls/holding/fragments
chown root:sudoadmin /etc/sudo_controls/holding/manage_sudo.conf
chown root:sudoadmin /etc/sudo_controls/holding/update_sudo.conf
chmod 660 /etc/sudo_controls/holding/grants
chmod 660 /etc/sudo_controls/holding/alias
chmod 660 /etc/sudo_controls/holding/fragments
chmod 660 /etc/sudo_controls/holding/manage_sudo.conf
chmod 660 /etc/sudo_controls/holding/update_sudo.conf
chown root:sudoadmin /etc/sudo_controls/holding/manage_sudo.sh
chown root:sudoadmin /etc/sudo_controls/holding/update_sudo.pl
chmod 770 /etc/sudo_controls/holding/manage_sudo.sh
chmod 770 /etc/sudo_controls/holding/update_sudo.pl
touch /var/log/manage_sudo.sh.log
chown root:sudoadmin /var/log/manage_sudo.sh.log
chmod 664 /var/log/manage_sudo.sh.log
  1. Copy & add the SSH public key of the sudoadmin account to the authorized_keys on the client. You can also use SSH Controls for this purpose:
[client]$ cat sudoadmin.pub >> /home/sudoadmin/.ssh/authorized_keys
  1. Test that you can connect as the sudoadmin user from the SUDO master onto the client host WITHOUT specifying a passphrase (think of the required SSH agent):
[master]$ ssh sudoadmin@client
  1. Update the master configuration files so that the client host is referenced in each of the files. You should have at least one entry for the client host in the targets file.
  1. Perform an initial distribution from the SUDO Controls master using the sudoadmin account & key and specifying a manual list of targets. Make sure the sync finishes without errors:
[master]$ /etc/sudo_controls/manage_sudo.sh --copy --targets=<client>

At this point you should have a working set of SUDO Controls on the target client host, ready to be activated but not yet active. In the next couple of steps we will activate the SUDO Controls:

  1. Add the two pair of required SUDO rules on the client host so that update_sudo.pl script can be executed with root privileges:
[client]# visudo -f /etc/sudoers

Following rule in /etc/sudoers IS ONLY required for the initial client push. Either add a snippet for the sudoadmin user:

# sudo_controls
sudo_controls_C=/etc/sudo_controls/holding/update_sudo.pl, /etc/sudo_controls/holding/manage_sudo.sh
sudoadmin ALL=(root) NOPASSWD: sudo_controls_C

-OR- for the sudoadmin *group *(if you are managing SUDO Controls with multiple people and individual accounts):

# sudo_controls
sudo_controls_C=/etc/sudo_controls/holding/update_sudo.pl, /etc/sudo_controls/holding/manage_sudo.sh
%sudoadmin ALL=(root) NOPASSWD: sudo_controls_C

Following rule in /etc/sudoers IS PERMANENTLY required for the update_sudo.pl script to work correctly:

# sudo_controls
#includedir /etc/sudo_controls/sudoers.d

:pushpin: The hash (#) MUST exist in front of the includedir directive.

:pushpin: Add following default directives for HP-UX hosts:

# Defaults specification
Defaults logfile=/var/adm/sudo/sudo.log
Defaults timestampdir=/var/adm/sudo

Please also read the FAQ on DAC considerations.

  1. Perform an initial activation of the SUDO Controls, locally on the client host:
[client]$ sudo /etc/sudo_controls/holding/manage_sudo.sh --update

-or- with preview first:

[client]$ sudo /etc/sudo_controls/update_sudo.pl --verbose --preview

[client]$ sudo /etc/sudo_controls/update_sudo.pl --verbose
  1. Add the client host to the targets file on the SUDO Controls master:
[master]$ echo "<client>" >>/etc/sudo_master/targets
  1. Do a second, remote distribute & apply from the SUDO Controls master (as a double-check):
[master]$ /etc/sudo_master/manage_sudo.sh --copy --targets=<client>

[master]$ /etc/sudo_master/manage_sudo.sh --apply --targets=<client>

You now have SUDO Controls fully configured and active on your client host. As a final step, you may optionally remove all old & temporary rules from /etc/sudoers and /etc/sudoers.d/* files on the client host.

Example repository

Following is a listing of what a SUDO client repository may look like:

[client]# ls -lR /etc/sudo_controls

drwxrwsr-x   2 root       sudoadmin     1024 Feb  5 11:00 holding
drwxr-xr-x   2 root       sys           1024 Apr 10 11:20 sudoers.d

./holding:

-rw-rw----   1 root       sudoadmin      4384 Apr 10 11:20 alias
-rw-rw----   1 root       sudoadmin     12832 Apr 10 11:20 fragments
-rw-rw----   1 root       sudoadmin      3311 Apr 10 11:20 grants
-rw-rw----   1 root       sudoadmin       676 Apr 10 11:20 manage_sudo.conf
-rwxrwx---   1 root       sudoadmin     38478 Apr 10 11:20 manage_sudo.sh
-rw-rw----   1 root       sudoadmin       926 Apr 10 11:20 update_sudo.conf
-rwxrwx---   1 root       sudoadmin     24683 Apr 10 11:20 update_sudo.pl

./sudoers.d:

-r--r-----   1 bin        bin            229 Apr 10 11:20 root_netstat
-r--r-----   1 bin        bin            134 Apr 10 11:20 root_lsof
-r--r-----   1 bin        bin            122 Apr 10 11:20 root_backup

:pushpin: The files contained in the sudoers.d directory must have 0440 permissions and be owned by bin:bin (HP-UX only)

Updated:

Leave a comment