manager sudo file
Tom H
tomh0665 at gmail.com
Sat Mar 13 19:12:50 UTC 2010
> I recently because the Senior Server Architect (Server Administrator) and
> now support over 1500 servers and workstations and am looking for an easier
> way to mange privileged access.
> I have a mix of RHEL, HP-UX and Solaris based devices. We use CFenigine to
> manage part of configuration. The devices are located at 40 different
> sites.
> basic requirements:
> Access is manage from a central location, possible CFengine manged
> Sudoer file is updated at least once a day, again possible CFegine managed
> Sudoer file would need to be built custom for each device, a complex sudoer
> file is not easy to manage.
> Compare the existing sudo file to the proposed one to see if unauthorized
> changes were made. I realize this would be had to do especially if there
> are authorized changes in the new file.
> All commands are logged.
> advanced requirements, things that would be nice to have
> Once privileged access is granted user gets access w/o having to update the
> client
> If privileged access is revoked users will no longer have privileged access
> w/o having to update the client
> A reason for being root is asked of the user before granting "su -" access
> but is not logged if they user just runs a command.
> Limit changing root's password, even for root.
Rather than create different /etc/sudoers for each box, can't you use
a name service (with >1500 boxes you must already have one running)
and set up netgroups for users, commands, boxes, and auths?
More information about the users
mailing list