Managing sudo on servers
I've been given a project where I'm supposed to secure several servers running AIX in terms of SSH and sudo (SSH comes after sudo's finished). We have different groups running different applications on these servers, and they all need different permissions and reasons to use sudo.
I want it to be easy to maintain so I was thinking of having one master /etc/sudoers file somewhere, and when that gets updated, just push it out to all the servers, perhaps weekly with crontab. Information in the master sudoers file that doesn't apply to the server it's on (such as groups that doesn't exist, etc) shouldn't be a problem unless I've missed something, I suppose.
I also need to find out what permissions one would need to run/use the applications so I know what to add in the sudoers file. These apps are Tivoli, DB2 etc.
How would you do it, would you do it differently and if so, why?