Why are file permissions (DAC) important in SUDO Controls?

Well that depends on whether if you are administrating SUDO Controls using the sudoadmin account only or using multiple accounts. In the former case the following DAC considerations do not apply. However you may want to opt to administrator SUDO Controls with multiple people each having their own account. This is possible on the condition that these accounts are part of the sudoadmin group on both SSH master & client hosts. In this case, the following DAC considerations do apply:

  • SUDO Controls files should be group owned AND group writeable by sudoadmin so that only members of this group can manipulate them. The actual sudo files in /etc/sudo_controls/sudoers.d/* must be read-only by root (or bin:bin)
  • When syncing files remotely, the files in the target repository need to be writeable by everybody in the group sudoadmin.

When in doubt about permissions of the files in the local SUDO Controls repositories (not the SUDO master), you can use the --fix-local command to reset permissions:

[client]$ /etc/sudo_controls/manage_sudo.sh --fix-local --fix-dir=/etc/sudo_controls [--fix-user=sudoadmin]

There is a corresponding --fix-remote command as well that can be executed on the SUDO master.

Where do I find log files?

The manage_sudo.sh script writes its actions – unless you specify the --no-log parameter – into the /var/log directory. This is valid for both SSH master and clients.

The update_sudo.pl script does not perform any logging but will do so when called through the manage_sudo.sh script.

How does SUDO Controls deal with SELinux (MAC)?

SUDO Controls will re-label the public keys files under /etc/sudo_controls/sudoers.d as follows upon each update:

  • RHEL 5 (or derivatives):
# chcon -R -t sshd_key_t /etc/sudo_controls/sudoers.d/*
  • RHEL 6/7 (or derivatives):
# chcon -R -t ssh_home_t /etc/sudo_controls/sudoers.d/*

This will make sure that SUDO can access the rules at all times.

Can I run --copy and --update in one go?

Nope. You should always make sure that files are correctly transferred before applying them.

But of course, nothing prevents you from running:

[master]$ /etc/ssh_master/manage_sudo.sh --copy && /etc/ssh_master/manage_sudo.sh --update

But: CAVEAT EMPTOR :-)

What is the difference between the fragments.d directory on the SUDO master and the sudoers.d directory on any SUDO controls managed client?

On the SUDO master the /etc/sudo_master/fragments.d directory represents the central repository of all available SUDO rules. These rules may be stored in rule group files, organized per department, application or team etc. These rules do NOT provide any privileged access on the SUDO master and should only be manipulated by the SUDO Controls maintainers.

The client’s /etc/sudo_controls/sudoers.d directory represents the managed location of the SUDO rules files which will be read by the sudo tool when invoked to provide elevated privileges on the client system. These files should never be manipulated manually.

What are the manage_sudo.conf & manage_sudo.conf.local files?

These are configuration files that can be used to define settings for the manage_sudo.sh script. The manage_sudo.conf can be used as a global configuration file whereas manage_sudo.conf.local can serve as a local override. The former will also be distributed by SUDO Controls, the latter not.

What are the update_sudo.conf & update_sudo.conf.local files?

These are configuration files that can be used to define settings for the update_sudo.pl script. The update_sudo.conf can be used as a global configuration file whereas update_sudo.conf.local can serve as a local override. The former will also be distributed by SUDO Controls, the latter not.

Updated:

Leave a comment