Following guidelines should be followed to initially set up a target when introducing SUDO Controls:
Add a dedicated OS group & user - for example sudoadmin - who will be the owner of the repository. The administrative account does not a password (so lock it) but does require a valid shell:
Pre-populate the the SUDO Controls *local repository. *You can use following shell script for this:
Copy & add the SSH public key of the sudoadmin account to the authorized_keys on the client. You can also use SSH Controls for this purpose:
Test that you can connect as the sudoadmin user from the SUDO master onto the client host WITHOUT specifying a passphrase (think of the required SSH agent):
Update the master configuration files so that the client host is referenced in each of the files. You should have at least one entry for the client host in the targets file.
Perform an initial distribution from the SUDO Controls master using the sudoadmin account & key and specifying a manual list of targets. Make sure the sync finishes without errors:
At this point you should have a working set of SUDO Controls on the target client host, ready to be activated but not yet active. In the next couple of steps we will activate the SUDO Controls:
Add the two pair of required SUDO rules on the client host so that update_sudo.pl script can be executed with root privileges:
Following rule in /etc/sudoers IS ONLY required for the initial client push. Either add a snippet for the sudoadminuser:
-OR- for the sudoadmin *group *(if you are managing SUDO Controls with multiple people and individual accounts):
Following rule in /etc/sudoers IS PERMANENTLY required for the update_sudo.pl script to work correctly:
The hash (#) MUST exist in front of the includedir directive.
Perform an initial activation of the SUDO Controls, locally on the client host:
-or- with preview first:
Add the client host to the targets file on the SUDO Controls master:
Do a second, remote distribute & apply from the SUDO Controls master (as a double-check):
You now have SUDO Controls fully configured and active on your client host. As a final step, you may optionally remove all old & temporary rules from /etc/sudoers and /etc/sudoers.d/* files on the client host.
Example repository
Following is a listing of what a SUDO client repository may look like:
The files contained in the sudoers.d directory must have 0440 permissions and be owned by bin:bin (HP-UX only)
Leave a comment