How-to

This is a short how-to in staging a SUDO master which is the - text file - repository where the pristine sources of all SUDO fragment files, management scripts and configuration files will be held.

The requirements for a SUDO master repository are almost negligible in terms of disk space and CPU resources. However, when triggering a key distribution process, a number of parallel SSH sessions will be spawned which will take up some system resources (see MAX_BACKGROUND_PROCS setting in the manage_sudo.sh script). By default this is set to 30. In terms of network and firewall configurations: all SUDO controls client hosts must be reachable through SSH (standard port 22) from the SUDO master.

The basic steps to configure a SUDO master are (as root user):

  1. Add a dedicated OS group & user - for example sudoadmin - who will be the owner of the repository. The administrative account does not need a password (so lock it) but does require a valid shell:
[master]$ groupadd sudoadmin
[master]$ useradd -g sudoadmin sudoadmin
  1. Create the repository:
[master]$ mkdir -p /etc/sudo_master
[master]$ chown -R sudoadmin:sudoadmin /etc/sudo_master
  1. Create a SSH key pair for the sudoadmin user. This key pair will be used to authenticate on each of the SUDO controls client systems when doing an update. If you opt to create a key with passphrase then you must:
    1. make sure you have a SSH agent process running on either SUDO master server or your the machine you are originally connecting from (with agent forwarding enabled).
    2. add this key to the running SSH agent. Failing to do will block any remote update process to client hosts.
    3. distribute the public key to all SUDO controls hosts. You can use SSH Controls for this purpose.
  1. Create the fragments repository with the rules that need to be distributed. You can choose to either store all rules in one big file or use a fragments.d directory with separate rule files. (see Master configuration files for more details):
[master]$ mkdir -p /etc/sudo_master/keys.d
[master]$ vi /etc/sudo_master/fragments.d/rules1.frag
[master]$ vi /etc/sudo_master/fragments.d/rules2.frag
...
[master]$ chown -R sudoadmin:sudoadmin /etc/sudo_master
  1. Create an initial version of the required master configuration files
[master]$ touch /etc/sudo_master/grants
[master]$ touch /etc/sudo_master/alias
[master]$ touch /etc/sudo_master/targets
[master]$ chown -R sudoadmin:sudoadmin /etc/sudo_master

Build/edit the grants, alias & targets files to fit your environment.

  1. Copy the management scripts into the repository:
[master]$ cp source:update_sudo.pl /etc/sudo_master/
[master]$ cp source:manage_sudo.pl /etc/sudo_master/
[master]$ chown -R sudoadmin:sudoadmin /etc/sudo_master
[master]$ chmod ug+x /etc/sudo_master/update_sudo.pl
[master]$ chmod ug+x /etc/sudo_master/manage_sudo.sh

You may want to review the following settings in the manage_sudo.conf or manage_sudo.conf.local files, especially if you are not using the default /etc/sudo_master & /etc/sudo_controls paths: Note: the REMOTE_DIR & LOCAL_DIR settings can also be specified as command-line parameters to the manage_sudo.sh script.

  1. Copy or configure the client configuration file:
[master]$ cp source:update_sudo.conf /etc/sudo_master/
[master]$ chown -R sudoadmin:sudoadmin /etc/sudo_master
  1. Perform a syntax check on the configuration files:
[master]$ cd /etc/sudo_master
[master:/etc/sudo_master]$ ./manage_sudo.sh --check-syntax

INFO: *** start of manage_sudo.sh [--check-syntax] ***
INFO: logging takes places in /var/log/manage_sudo.sh.log
INFO: runtime info: LOCAL_DIR is set to: /etc/sudo_controls
INFO: ACTION: syntax-checking the configuration files ...
INFO: finished syntax-checking the configuration files
INFO: performing cleanup ...
INFO: *** finish of manage_sudo.sh [--check-syntax] ***

Note: the build-in syntax check has limited capabilities. It will not catch all possible errors so CAVEAT EMPTOR.

Example repository

Following is a listing of what a SUDO master repository may look like:

[master]$ ls -lR /etc/sudo_master

-rw-r-----   1 sudoadmin       sudoadmin      4384 Apr  2 07:20 alias
drwxr-s---   2 sudoadmin       sudoadmin      1024 May 19 11:46 backup
drwxr-s---   2 sudoadmin       sudoadmin      3072 Feb 27 12:40 fragments.d
-rw-r-----   1 sudoadmin       sudoadmin      3311 Mar  5 12:45 grants
-rw-r--r--   1 sudoadmin       sudoadmin       455 Dec 18 10:16 manage_sudo.conf
-rwxr-x---   1 sudoadmin       sudoadmin     38478 Apr 10 11:15 manage_sudo.sh
-rw-r-----   1 sudoadmin       sudoadmin       809 Apr  2 07:19 targets
-rw-r--r--   1 sudoadmin       sudoadmin       926 Dec 18 10:16 update_sudo.conf
-rwxr-x---   1 sudoadmin       sudoadmin     24683 Feb  3 08:19 update_sudo.pl

./fragments.d:

-rw-rw----   1 sudoadmin       sudoadmin      5694 Feb 23 14:41 rules1.frag
-rw-rw----   1 sudoadmin       sudoadmin       374 Dec  3 08:41 rules2.frag
-rw-rw----   1 sudoadmin       sudoadmin      5554 Dec  3 08:39 rules3.frag

Updated:

Leave a comment