Updating clients from the SUDO master
This will update one or more client hosts remotely from the SUDO master
Requirements
A working SSH login for the sudoadmin
user for each of the client hosts you wish to update.
A running SSH agent that will propagate sudoadmin
’s private key to each of the client hosts upon remote grants/control (so that you do not have to enter the passphrase at each connection!)
SUDO rules for the sudo controls must be pre-configured on each of the client hosts you wish to update (chicken-and-the-egg!).
Step 1: Distribute/copy the latest configuration (mappings + key files) to the client systems
What does it do?
Syncs all configuration, scripts & public key files from the SUDO master to client systems into the /etc/sudo_controls/holding
directory (via SFTP)
How to do it?
Logon the SUDO master server and become sudoadmin
.
Choice 1: execute a global distribution
(=all client systems configured in the targets
files):
[ master]$ /etc/sudo_master/manage_sudo.sh --copy
Distribution to multiple client systems will be done in parallel (background). Be aware that this will cause log messages to be multiplexed (out-of-sync).
INFO: *** start of manage_sudo.sh [ --copy ] ***
INFO: logging takes places in /var/log/manage_sudo.sh.log
INFO: runtime info: LOCAL_DIR is set to: /etc/master
INFO: ACTION: copy/distribute sudo controls
INFO: copying/distributing to host1 in background [ PID = 17379] ...
INFO: copying/distributing to host2 in background [ PID = 17385] ...
INFO: copying/distributing to host3 in background [ PID = 17391] ...
INFO: copying/distributing to host4 in background [ PID = 17397] ...
INFO: transferred /etc/master/grants to host1:/etc/sudo_controls/holding
INFO: transferred /etc/master/grants to host2:/etc/sudo_controls/holding
INFO: transferred /etc/master/grants to host3:/etc/sudo_controls/holding
INFO: transferred /etc/master/grants to host4:/etc/sudo_controls/holding
INFO: transferred /etc/master/alias to host2:/etc/sudo_controls/holding
INFO: transferred /etc/master/alias to host3:/etc/sudo_controls/holding
INFO: transferred /etc/master/alias to host1:/etc/sudo_controls/holding
INFO: transferred /etc/master/alias to host4:/etc/sudo_controls/holding
INFO: transferred /etc/master/update_sudo.pl to host2:/etc/sudo_controls/holding
INFO: transferred /etc/master/update_sudo.pl to host3:/etc/sudo_controls/holding
INFO: transferred /etc/master/update_sudo.pl to host1:/etc/sudo_controls/holding
INFO: transferred /etc/master/update_sudo.pl to host4:/etc/sudo_controls/holding
<snip>
Output has been truncated for convenience.
Choice 2: execute a limited distribution
By using the --targets
command-line parameter with a comma-separated list of hostnames:
[ master]$ /etc/sudo_master/manage_sudo.sh --copy --targets = host1,host2
INFO: *** start of manage_sudo.sh [ --copy --targets = host1,host2] ***
INFO: logging takes places in /var/log/manage_sudo.sh.log
INFO: runtime info: LOCAL_DIR is set to: /etc/sudo_master
INFO: ACTION: copy/distribute sudo controls
INFO: copying/distributing to host1 in background [ PID = 5346] ...
INFO: copying/distributing to host2 in background [ PID = 5352] ...
INFO: transferred /etc/sudo_master/grants to host1:/etc/sudo_controls/holding
INFO: transferred /etc/sudo_master/grants to host2:/etc/sudo_controls/holding
INFO: transferred /etc/sudo_master/alias to host1:/etc/sudo_controls/holding
INFO: transferred /etc/sudo_master/alias to host2:/etc/sudo_controls/holding
INFO: transferred /etc/sudo_master/update_sudo.pl to host1:/etc/sudo_controls/holding
INFO: transferred /etc/sudo_master/update_sudo.pl to host2:/etc/sudo_controls/holding
INFO: transferred /etc/sudo_master/update_sudo.conf to host1:/etc/sudo_controls/holding
INFO: transferred /etc/sudo_master/update_sudo.conf to host2:/etc/sudo_controls/holding
INFO: transferred ./manage_sudo.sh to host1:/etc/sudo_controls/holding
INFO: fragments are stored in a DIRECTORY, first merging all fragments into /var/tmp/distribute2host.18125/fragments
INFO: transferred ./manage_sudo.sh to host2:/etc/sudo_controls/holding
INFO: fragments are stored in a DIRECTORY, first merging all fragments into /var/tmp/distribute2host.21737/fragments
INFO: transferred /var/tmp/distribute2host.18125/fragments to host1:/etc/sudo_controls/holding
INFO: transferred /var/tmp/distribute2host.21737/fragments to host2:/etc/sudo_controls/holding
INFO: child process 5346 exited [ RC = 0]
INFO: child process 5352 exited [ RC = 0]
INFO: finished copying/distributing sudo controls
INFO: performing cleanup ...
INFO: *** finish of manage_sudo.sh [ --copy --targets = host1,host2] ***
Step 2: Updating the SUDO fragments on the client systems
What does it do?
Runs the update_sudo.pl
script remotely and updates the SUDO fragments in /etc/sudo_controls/sudoers.d
on each client host.
How to do it?:
Logon the SUDO master server and become sudoadmin
Choice 1: execute a global update
(=all client systems configured in the targets files):
[ master]$ /etc/sudo_master/manage_sudo.sh --apply
Distribution to multiple client systems will be done in parallel (background). Beware that this will cause log messages to be multiplexed (out-of-sync).
INFO: *** start of manage_sudo.sh [ --update ] ***
INFO: logging takes places in /var/log/manage_sudo.sh.log
INFO: runtime info: LOCAL_DIR is set to: /etc/sudo_controls/holding
INFO: ACTION: apply SUDO controls locally
INFO: runtime info: root; host1@/etc/sudo_controls/holding; Perl v5.008008
INFO: parsing configuration file( s) ...
INFO: checking for SUDO control mode ...
INFO: host is under SUDO control via /etc/sudo_controls/sudoers.d
INFO: reading 'alias' file ...
INFO: 50 aliases found on host1
INFO: reading 'fragment' file( s) ...
INFO: local 'fragments' are stored in a FILE on host1
INFO: reading SUDO fragments from file: /etc/sudo_controls/holding/fragments
INFO: fragment file /etc/sudo_controls/holding/fragments contains multiple fragments, parsing ...
INFO: 8 SUDO fragment( s) found on host1
INFO: syntax checking sudo fragments ...
INFO: syntax check of sudo fragments is OK on host1
INFO: reading 'grants' file ...
INFO: 7 SUDO fragments with applicable grants requested on host1
INFO: ( de) -activating SUDO fragments ....
INFO: de-activating fragment file /etc/sudo_controls/sudoers.d/root_netstat on host1
INFO: de-activating fragment file /etc/sudo_controls/sudoers.d/root_lsof on host1
INFO: de-activating fragment file /etc/sudo_controls/sudoers.d/root_backup on host1
INFO: activating fragment root_netstat on host1
INFO: activating fragment root_lsof on host1
INFO: activating fragment root_backup on host1
INFO: activating immutable self fragment sudo_update on host1
INFO: finished applying SUDO controls locally
<snip>
Output has been truncated for convenience.
Choice 2: execute a limited distribution
using the --targets
command-line parameter (comma-separated list):
[ master]$ /etc/sudo_master/manage_sudo.sh --apply --targets = host1,host2
INFO: *** start of manage_sudo.sh [ --apply --targets = host1,host2] ***
INFO: logging takes places in /var/log/manage_sudo.sh.log
INFO: runtime info: LOCAL_DIR is set to: /sysx/soft/sudo_controls
INFO: ACTION: apply SUDO controls remotely
INFO: updating host1 in background [ PID = 18358] ...
INFO: updating host2 in background [ PID = 18364] ...
INFO: setting sudo controls on host1 ...
INFO: setting sudo controls on host2 ...
Last successful login: Mon Jan 19 08:47:22 MET 2015
Last successful login: Mon Jan 19 08:47:22 MET 2015
INFO: *** start of manage_sudo.sh [ --update ] ***
INFO: logging takes places in /var/log/manage_sudo.sh.log
INFO: runtime info: LOCAL_DIR is set to: /etc/sudo_controls/holding
INFO: ACTION: apply SUDO controls locally
INFO: runtime info: root; host1@/etc/sudo_controls/holding; Perl v5.008008
INFO: parsing configuration file( s) ...
INFO: checking for SUDO control mode ...
INFO: host is under SUDO control via /etc/sudo_controls/sudoers.d
INFO: reading 'alias' file ...
INFO: 50 aliases found on host1
INFO: reading 'fragment' file( s) ...
INFO: local 'fragments' are stored in a FILE on host1
INFO: reading SUDO fragments from file: /etc/sudo_controls/holding/fragments
INFO: fragment file /etc/sudo_controls/holding/fragments contains multiple fragments, parsing ...
INFO: 8 SUDO fragment( s) found on host1
INFO: syntax checking sudo fragments ...
INFO: syntax check of sudo fragments is OK on host1
INFO: reading 'grants' file ...
INFO: 7 SUDO fragments with applicable grants requested on host1
INFO: ( de) -activating SUDO fragments ....
INFO: de-activating fragment file /etc/sudo_controls/sudoers.d/root_netstat on host1
INFO: de-activating fragment file /etc/sudo_controls/sudoers.d/root_lsof on host1
INFO: de-activating fragment file /etc/sudo_controls/sudoers.d/root_backup on host1
INFO: activating fragment root_netstat on host1
INFO: activating fragment root_lsof on host1
INFO: activating fragment root_backup on host1
INFO: activating immutable self fragment sudo_update on host1
INFO: finished applying SUDO controls locally
INFO: performing cleanup ...
INFO: *** finish of manage_sudo.sh [ --update ] ***
INFO: *** start of manage_sudo.sh [ --update ] ***
INFO: logging takes places in /var/log/manage_sudo.sh.log
INFO: runtime info: LOCAL_DIR is set to: /etc/sudo_controls/holding
INFO: ACTION: apply SUDO controls locally
INFO: runtime info: root; host2@/etc/sudo_controls/holding; Perl v5.008008
INFO: parsing configuration file( s) ...
INFO: checking for SUDO control mode ...
INFO: host is under SUDO control via /etc/sudo_controls/sudoers.d
INFO: reading 'alias' file ...
INFO: 50 aliases found on host2
INFO: reading 'fragment' file( s) ...
INFO: local 'fragments' are stored in a FILE on host2
INFO: reading SUDO fragments from file: /etc/sudo_controls/holding/fragments
INFO: fragment file /etc/sudo_controls/holding/fragments contains multiple fragments, parsing ...
INFO: 8 SUDO fragment( s) found on host2
INFO: syntax checking sudo fragments ...
INFO: syntax check of sudo fragments is OK on host2
INFO: reading 'grants' file ...
INFO: 7 SUDO fragments with applicable grants requested on host2
INFO: ( de) -activating SUDO fragments ....
INFO: de-activating fragment file /etc/sudo_controls/sudoers.d/root_netstat on host2
INFO: de-activating fragment file /etc/sudo_controls/sudoers.d/root_lsof on host2
INFO: de-activating fragment file /etc/sudo_controls/sudoers.d/root_backup on host2
INFO: activating fragment root_netstat on host2
INFO: activating fragment root_lsof on host2
INFO: activating fragment root_backup on host2
INFO: activating immutable self fragment sudo_update on host2
INFO: finished applying SUDO controls locally
INFO: performing cleanup ...
INFO: *** finish of manage_sudo.sh [ --update ] ***
INFO: child process 18358 exited
INFO: child process 18364 exited
INFO: finished applying SUDO controls remotely
INFO: performing cleanup ...
INFO: *** finish of manage_sudo.sh [ --apply --targets = host1,host2] ***
Updating clients locally
This will update a single client host from its own local repository.
Requirements:
A working SSH logon for the sudoadmin
user for each of the client hosts you wish to update.
SUDO rules for the sudo controls must be pre-configured on each of the client hosts you wish to update -OR- full root grants locally (chicken-and-the-egg!).
When refreshing the SUDO rules locally on a client you can only use the current locally available configuration data from the /etc/sudo_controls/holding
directory.
Login to the client host and become sudoadmin
Execute the local update (as non-root user), e.g.:
[ client]$ sudo /etc/sudo_controls/holding/manage_sudo.sh --update
-OR-
Execute the local update directly using the Perl script:
[ client]$ sudo /etc/sudo_controls/holding/update_sudo.pl --verbose --remove
Output of both commands is to similar to those of remote updates (see above).
Leave a comment