manager sudo file
Jamie Bohr
jamiebohr at gmail.com
Sat Mar 13 00:31:21 UTC 2010
I recently because the Senior Server Architect (Server Administrator) and
now support over 1500 servers and workstations and am looking for an easier
way to mange privileged access.
I have a mix of RHEL, HP-UX and Solaris based devices. We use CFenigine to
manage part of configuration. The devices are located at 40 different
sites.
basic requirements:
1. Access is manage from a central location, possible CFengine manged
2. Sudoer file is updated at least once a day, again possible CFegine
managed
3. Sudoer file would need to be built custom for each device, a complex
sudoer file is not easy to manage.
4. Compare the existing sudo file to the proposed one to see if
unauthorized changes were made. I realize this would be had to do
especially if there are authorized changes in the new file.
5. All commands are logged.
advanced requirements, things that would be nice to have
1. Once privileged access is granted user gets access w/o having to
update the client
2. If privileged access is revoked users will no longer have privileged
access w/o having to update the client
3. A reason for being root is asked of the user before granting "su -"
access but is not logged if they user just runs a command.
4. Limit changing root's password, even for root.
A tool like Power Broker would be great but I have don't have the budget for
it. I looked at Free IPA but it looks complex and requires a greater
commitment then just privileged access control.
Googling did not provide a possible solution but I am hoping the experts on
the list will point me in the right direction or give some advice.
--
Jamie Bohr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20100312/da89e21c/attachment-0001.html
More information about the users
mailing list