Managing sudo on servers
I've been given a project where I'm supposed to secure several servers running AIX in terms of SSH and sudo (SSH comes after sudo's finished). We have different groups running different applications on these servers, and they all need different permissions and reasons to use sudo.
I want it to be easy to maintain so I was thinking of having one master /etc/sudoers file somewhere, and when that gets updated, just push it out to all the servers, perhaps weekly with crontab. Information in the master sudoers file that doesn't apply to the server it's on (such as groups that doesn't exist, etc) shouldn't be a problem unless I've missed something, I suppose.
I also need to find out what permissions one would need to run/use the applications so I know what to add in the sudoers file. These apps are Tivoli, DB2 etc.
How would you do it, would you do it differently and if so, why?
I'd probably go with puppet, gives you a platform in case they add something else to the list
Having all your sudo rules in one file can get quite cumbersome if your environment or user base is large. I would suggest LDAP for managing sudo and ssh access
|All times are GMT -5. The time now is 11:47 PM.|