Updating clients from the SUDO master

This will update one or more client hosts remotely from the SUDO master

Requirements

  • A working SSH login for the sudoadmin user for each of the client hosts you wish to update.
  • A running SSH agent that will propagate sudoadmin’s private key to each of the client hosts upon remote grants/control (so that you do not have to enter the passphrase at each connection!)
  • SUDO rules for the sudo controls must be pre-configured on each of the client hosts you wish to update (chicken-and-the-egg!).

Step 1: Distribute/copy the latest configuration (mappings + key files) to the client systems

What does it do? Syncs all configuration, scripts & public key files from the SUDO master to client systems into the /etc/sudo_controls/holding directory (via SFTP)

How to do it? Logon the SUDO master server and become sudoadmin.

Choice 1: execute a global distribution

(=all client systems configured in the targets files):

[master]$ /etc/sudo_master/manage_sudo.sh --copy

Distribution to multiple client systems will be done in parallel (background). Be aware that this will cause log messages to be multiplexed (out-of-sync).

INFO: *** start of manage_sudo.sh [--copy] ***
INFO: logging takes places in /var/log/manage_sudo.sh.log
INFO: runtime info: LOCAL_DIR is set to: /etc/master
INFO: ACTION: copy/distribute sudo controls
INFO: copying/distributing to host1 in background [PID=17379] ...
INFO: copying/distributing to host2 in background [PID=17385] ...
INFO: copying/distributing to host3 in background [PID=17391] ...
INFO: copying/distributing to host4 in background [PID=17397] ...
INFO: transferred /etc/master/grants to host1:/etc/sudo_controls/holding
INFO: transferred /etc/master/grants to host2:/etc/sudo_controls/holding
INFO: transferred /etc/master/grants to host3:/etc/sudo_controls/holding
INFO: transferred /etc/master/grants to host4:/etc/sudo_controls/holding
INFO: transferred /etc/master/alias to host2:/etc/sudo_controls/holding
INFO: transferred /etc/master/alias to host3:/etc/sudo_controls/holding
INFO: transferred /etc/master/alias to host1:/etc/sudo_controls/holding
INFO: transferred /etc/master/alias to host4:/etc/sudo_controls/holding
INFO: transferred /etc/master/update_sudo.pl to host2:/etc/sudo_controls/holding
INFO: transferred /etc/master/update_sudo.pl to host3:/etc/sudo_controls/holding
INFO: transferred /etc/master/update_sudo.pl to host1:/etc/sudo_controls/holding
INFO: transferred /etc/master/update_sudo.pl to host4:/etc/sudo_controls/holding
<snip>

Output has been truncated for convenience.

Choice 2: execute a limited distribution

By using the --targets command-line parameter with a comma-separated list of hostnames:

[master]$ /etc/sudo_master/manage_sudo.sh --copy --targets=host1,host2

INFO: *** start of manage_sudo.sh [--copy --targets=host1,host2] ***
INFO: logging takes places in /var/log/manage_sudo.sh.log
INFO: runtime info: LOCAL_DIR is set to: /etc/sudo_master
INFO: ACTION: copy/distribute sudo controls
INFO: copying/distributing to host1 in background [PID=5346] ...
INFO: copying/distributing to host2 in background [PID=5352] ...
INFO: transferred /etc/sudo_master/grants to host1:/etc/sudo_controls/holding
INFO: transferred /etc/sudo_master/grants to host2:/etc/sudo_controls/holding
INFO: transferred /etc/sudo_master/alias to host1:/etc/sudo_controls/holding
INFO: transferred /etc/sudo_master/alias to host2:/etc/sudo_controls/holding
INFO: transferred /etc/sudo_master/update_sudo.pl to host1:/etc/sudo_controls/holding
INFO: transferred /etc/sudo_master/update_sudo.pl to host2:/etc/sudo_controls/holding
INFO: transferred /etc/sudo_master/update_sudo.conf to host1:/etc/sudo_controls/holding
INFO: transferred /etc/sudo_master/update_sudo.conf to host2:/etc/sudo_controls/holding
INFO: transferred ./manage_sudo.sh to host1:/etc/sudo_controls/holding
INFO: fragments are stored in a DIRECTORY, first merging all fragments into /var/tmp/distribute2host.18125/fragments
INFO: transferred ./manage_sudo.sh to host2:/etc/sudo_controls/holding
INFO: fragments are stored in a DIRECTORY, first merging all fragments into /var/tmp/distribute2host.21737/fragments
INFO: transferred /var/tmp/distribute2host.18125/fragments to host1:/etc/sudo_controls/holding
INFO: transferred /var/tmp/distribute2host.21737/fragments to host2:/etc/sudo_controls/holding
INFO: child process 5346 exited [RC=0]
INFO: child process 5352 exited [RC=0]
INFO: finished copying/distributing sudo controls
INFO: performing cleanup ...
INFO: *** finish of manage_sudo.sh [--copy --targets=host1,host2] ***

Step 2: Updating the SUDO fragments on the client systems

What does it do? Runs the update_sudo.pl script remotely and updates the SUDO fragments in /etc/sudo_controls/sudoers.d on each client host.

How to do it?: Logon the SUDO master server and become sudoadmin

Choice 1: execute a global update

(=all client systems configured in the targets files):

[master]$ /etc/sudo_master/manage_sudo.sh --apply

Distribution to multiple client systems will be done in parallel (background). Beware that this will cause log messages to be multiplexed (out-of-sync).

INFO: *** start of manage_sudo.sh [--update] ***
INFO: logging takes places in /var/log/manage_sudo.sh.log
INFO: runtime info: LOCAL_DIR is set to: /etc/sudo_controls/holding
INFO: ACTION: apply SUDO controls locally
INFO: runtime info: root; host1@/etc/sudo_controls/holding; Perl v5.008008
INFO: parsing configuration file(s) ...
INFO: checking for SUDO control mode ...
INFO: host is under SUDO control via /etc/sudo_controls/sudoers.d
INFO: reading 'alias' file ...
INFO: 50 aliases found on host1
INFO: reading 'fragment' file(s) ...
INFO: local 'fragments' are stored in a FILE on host1
INFO: reading SUDO fragments from file: /etc/sudo_controls/holding/fragments
INFO: fragment file /etc/sudo_controls/holding/fragments contains multiple fragments, parsing ...
INFO: 8 SUDO fragment(s) found on host1
INFO: syntax checking sudo fragments ...
INFO: syntax check of sudo fragments is OK on host1
INFO: reading 'grants' file ...
INFO: 7 SUDO fragments with applicable grants requested on host1
INFO: (de)-activating SUDO fragments ....
INFO: de-activating fragment file /etc/sudo_controls/sudoers.d/root_netstat on host1
INFO: de-activating fragment file /etc/sudo_controls/sudoers.d/root_lsof on host1
INFO: de-activating fragment file /etc/sudo_controls/sudoers.d/root_backup on host1
INFO: activating fragment root_netstat on host1
INFO: activating fragment root_lsof on host1
INFO: activating fragment root_backup on host1
INFO: activating immutable self fragment sudo_update on host1
INFO: finished applying SUDO controls locally
<snip>

Output has been truncated for convenience.

Choice 2: execute a limited distribution

using the --targets command-line parameter (comma-separated list):

[master]$ /etc/sudo_master/manage_sudo.sh --apply --targets=host1,host2

INFO: *** start of manage_sudo.sh [--apply --targets=host1,host2] ***
INFO: logging takes places in /var/log/manage_sudo.sh.log
INFO: runtime info: LOCAL_DIR is set to: /sysx/soft/sudo_controls
INFO: ACTION: apply SUDO controls remotely
INFO: updating host1 in background [PID=18358] ...
INFO: updating host2 in background [PID=18364] ...
INFO: setting sudo controls on host1 ...
INFO: setting sudo controls on host2 ...
Last successful login:       Mon Jan 19 08:47:22 MET 2015   
Last successful login:       Mon Jan 19 08:47:22 MET 2015     
INFO: *** start of manage_sudo.sh [--update] ***
INFO: logging takes places in /var/log/manage_sudo.sh.log
INFO: runtime info: LOCAL_DIR is set to: /etc/sudo_controls/holding
INFO: ACTION: apply SUDO controls locally
INFO: runtime info: root; host1@/etc/sudo_controls/holding; Perl v5.008008
INFO: parsing configuration file(s) ...
INFO: checking for SUDO control mode ...
INFO: host is under SUDO control via /etc/sudo_controls/sudoers.d
INFO: reading 'alias' file ...
INFO: 50 aliases found on host1
INFO: reading 'fragment' file(s) ...
INFO: local 'fragments' are stored in a FILE on host1
INFO: reading SUDO fragments from file: /etc/sudo_controls/holding/fragments
INFO: fragment file /etc/sudo_controls/holding/fragments contains multiple fragments, parsing ...
INFO: 8 SUDO fragment(s) found on host1
INFO: syntax checking sudo fragments ...
INFO: syntax check of sudo fragments is OK on host1
INFO: reading 'grants' file ...
INFO: 7 SUDO fragments with applicable grants requested on host1
INFO: (de)-activating SUDO fragments ....
INFO: de-activating fragment file /etc/sudo_controls/sudoers.d/root_netstat on host1
INFO: de-activating fragment file /etc/sudo_controls/sudoers.d/root_lsof on host1
INFO: de-activating fragment file /etc/sudo_controls/sudoers.d/root_backup on host1
INFO: activating fragment root_netstat on host1
INFO: activating fragment root_lsof on host1
INFO: activating fragment root_backup on host1
INFO: activating immutable self fragment sudo_update on host1
INFO: finished applying SUDO controls locally
INFO: performing cleanup ...
INFO: *** finish of manage_sudo.sh [--update] ***
INFO: *** start of manage_sudo.sh [--update] ***
INFO: logging takes places in /var/log/manage_sudo.sh.log
INFO: runtime info: LOCAL_DIR is set to: /etc/sudo_controls/holding
INFO: ACTION: apply SUDO controls locally
INFO: runtime info: root; host2@/etc/sudo_controls/holding; Perl v5.008008
INFO: parsing configuration file(s) ...
INFO: checking for SUDO control mode ...
INFO: host is under SUDO control via /etc/sudo_controls/sudoers.d
INFO: reading 'alias' file ...
INFO: 50 aliases found on host2
INFO: reading 'fragment' file(s) ...
INFO: local 'fragments' are stored in a FILE on host2
INFO: reading SUDO fragments from file: /etc/sudo_controls/holding/fragments
INFO: fragment file /etc/sudo_controls/holding/fragments contains multiple fragments, parsing ...
INFO: 8 SUDO fragment(s) found on host2
INFO: syntax checking sudo fragments ...
INFO: syntax check of sudo fragments is OK on host2
INFO: reading 'grants' file ...
INFO: 7 SUDO fragments with applicable grants requested on host2
INFO: (de)-activating SUDO fragments ....
INFO: de-activating fragment file /etc/sudo_controls/sudoers.d/root_netstat on host2
INFO: de-activating fragment file /etc/sudo_controls/sudoers.d/root_lsof on host2
INFO: de-activating fragment file /etc/sudo_controls/sudoers.d/root_backup on host2
INFO: activating fragment root_netstat on host2
INFO: activating fragment root_lsof on host2
INFO: activating fragment root_backup on host2
INFO: activating immutable self fragment sudo_update on host2
INFO: finished applying SUDO controls locally
INFO: performing cleanup ...
INFO: *** finish of manage_sudo.sh [--update] ***
INFO: child process 18358 exited
INFO: child process 18364 exited
INFO: finished applying SUDO controls remotely
INFO: performing cleanup ...
INFO: *** finish of manage_sudo.sh [--apply --targets=host1,host2] ***

Updating clients locally

This will update a single client host from its own local repository.

Requirements:

  • A working SSH logon for the sudoadmin user for each of the client hosts you wish to update.
  • SUDO rules for the sudo controls must be pre-configured on each of the client hosts you wish to update -OR- full root grants locally (chicken-and-the-egg!).

When refreshing the SUDO rules locally on a client you can only use the current locally available configuration data from the /etc/sudo_controls/holding directory.

  1. Login to the client host and become sudoadmin

  2. Execute the local update (as non-root user), e.g.:

[client]$ sudo /etc/sudo_controls/holding/manage_sudo.sh --update

-OR-

Execute the local update directly using the Perl script:

[client]$ sudo /etc/sudo_controls/holding/update_sudo.pl --verbose --remove

Output of both commands is to similar to those of remote updates (see above).

Updated:

Leave a comment