Sudo parser for central sudoers

azamsab · 11-14-2014, 10:02 AM

Hi All, I am looking for a script/command to parse a central sudoers file, so that it can be human readable for audit purpose and provide us the following details:

1) which user have root like privilege on what servers
2) what all sudo privilege the other users has and on servers

I really appreciate if anyone can help me with this, please do let me know if you need more info

linosaurusroot · 11-14-2014, 11:28 AM

There's a considerable burden on maintainers of sudoers files that if they don't intend to allow users arbitrary root access they need to be familiar with all the implications of the commands they allow. It's reasonably easy to see whether a file allows running a root shell - or ALL commands - but assessing the effects of other commands is not just a programming/reporting job.

I've seen an entry for (from memory)

Code:

/usr/bin/crontab -u * -l

which was apparently to show any user's crontab. It could be abused as

Code:

sudo crontab -u root -- -l

to install the file "-l" as root's crontab.

Do you have a typical sudoers file to post?

azamsab · 11-14-2014, 11:44 AM

Thanks for your response, here is what our central sudoers file looks like. I am actually looking for a script which can parse out this central sudoers file and provide information like which users have "sudo to root" privilege on what servers. I know we can easily identify by looking at the file, but the audit team erquires a automation process/script which can provide them this info on daily basis.

User_Alias UA_Unixteam = root,abc,xyz,def,sys
User_Alias UA_informix = informix,test,user
User_Alias UA_caesar = caesar,test,user
User_Alias UA_tsm = tsmuser,testuser,client
User_Alias UA_pwi = pwi,pwiuser
Cmnd_Alias CA_dcops = /oracle/product/weblogic1036/asinst_1/bin/opmnctl status,\
/oracle/etc/bin/iasctl healthcheck,\
/oracle/product/10.1.2/opmn/bin/opmnctl status,\
/oracle/product/weblogic1036/Oracle_FRHome1/opmn/bin/opmnctl status,\
/oracle/product/weblogic1036/asinst_1/bin/opmnctl status,\
/oracle/etc/bin/mon_xinit.sh, /usr/bin/enq

Cmnd_Alias CA_ops = /oracle/app/comreg/product/1.0.0/bin/jobsys.sh,\
/oracle/app/comreg/product/1.0.0/bin/jobsys_daemon.sh,\
/oracle/app/comreg/product/1.0.0/bin/jobsys_dispatcher.sh,\
/oracle/app/comreg/product/1.0.0/bin/jobsys_scheduler.sh,\
/oracle/app/comreg/product/1.0.0/bin/jobsys_reports.sh,\
/oracle/app/comreg/product/1.0.0/bin/jobsys_apache.sh,\
/oracle/app/outsrc/product/1.0.0/bin/jobsys_daemon_out.sh,\
/oracle/app/outsrc/product/1.0.0/bin/jobsys_scheduler_out.sh,\
/oracle/app/outsrc/product/1.0.0/bin/jobsys_dispatcher_out.sh

Cmnd_Alias CA_oraftp = /oracle/app/comreg/product/1.0.0/bin/jobsys.sh,\
/oracle/app/comreg/product/1.0.0/bin/jobsys_daemon.sh,\
/oracle/app/comreg/product/1.0.0/bin/jobsys_dispatcher.sh,\
/oracle/app/comreg/product/1.0.0/bin/jobsys_scheduler.sh,\
/oracle/app/comreg/product/1.0.0/bin/jobsys_reports.sh,\
/oracle/app/comreg/product/1.0.0/bin/jobsys_apache.sh

Cmnd_Alias CA_oracle = /oracle/app/comreg/product/1.0.0/bin/jobsys.sh,\
/oracle/app/comreg/product/1.0.0/bin/jobsys_daemon.sh,\
/oracle/app/comreg/product/1.0.0/bin/jobsys_dispatcher.sh,\
/oracle/app/comreg/product/1.0.0/bin/jobsys_scheduler.sh,\
/oracle/app/comreg/product/1.0.0/bin/jobsys_reports.sh,\
/oracle/app/comreg/product/1.0.0/bin/jobsys_apache.sh,\
/oracle/app/outsrc/product/1.0.0/bin/jobsys_daemon_out.sh,\
/oracle/app/outsrc/product/1.0.0/bin/jobsys_scheduler_out.sh,\
/oracle/app/outsrc/product/1.0.0/bin/jobsys_dispatcher_out.sh

Cmnd_Alias CA_Unixteam = /usr/bin/su -, /usr/bin/su - root, /bin/su -, /bin/su - root

Cmnd_Alias CA_Temproot = /usr/bin/su -, /usr/bin/su - root, /bin/su -, /bin/su - root

Cmnd_Alias CA_informix = /usr/bin/su - informix, /usr/sbin/strload

Cmnd_Alias CA_caesar = /usr/bin/su - caesar

Cmnd_Alias CA_tsm = /usr/bin/dsmadmc

Cmnd_Alias CA_comreg = /usr/local/scripts/prtq_script.pl, /usr/bin/enq

Cmnd_Alias CA_pwi = /usr/bin/su - pwi, /usr/bin/su - httpd, /usr/bin/su - ops

Host_Alias HA_Unixteam = ALL
Host_Alias HA_dcops = server1,server2,test1,test2,prdserver1,prdserver2
Host_Alias HA_ops = server1,server2,test1,test2,prdserver1,prdserver2
Host_Alias HA_oraftp = server1,server2,test1,test2,prdserver1,prdserver2
Host_Alias HA_oracle = server1,server2,test1,test2,prdserver1,prdserver2
Host_Alias HA_informix = server1,server2,test1,test2,prdserver1,prdserver2
Host_Alias HA_caesar = server1,server2,test1,test2,prdserver1,prdserver2
Host_Alias HA_tsm = server1,server2,test1,test2,prdserver1,prdserver2
Host_Alias HA_comreg = server1,server2,test1,test2,prdserver1,prdserver2
Host_Alias HA_pwi = server1,server2,test1,test2,prdserver1,prdserver2

UA_Unixteam HA_Unixteam = (ALL) NOPASSWD: CA_Unixteam
dcops HA_dcops = (oraias) NOPASSWD: CA_dcops
ops HA_ops = (oracle) NOPASSWD: CA_ops
oraftp HA_oraftp = (oracle) NOPASSWD: CA_oraftp
oracle HA_oracle = (oracle) NOPASSWD: CA_oracle
UA_informix HA_informix = NOPASSWD: CA_informix
UA_caesar HA_caesar = NOPASSWD: CA_caesar
UA_tsm HA_tsm = NOPASSWD: CA_tsm
comreg HA_comreg = NOPASSWD: CA_comreg
UA_pwi HA_pwi = NOPASSWD: CA_pwi

###Temproot users ################################################################################

Host_Alias HA_user1 = server1,server2,test1,test2,prdserver1,prdserver2
user1 HA_user1 = (ALL) NOPASSWD: CA_Temproot

Host_Alias HA_user2 = server1,server2,test1,test2,prdserver1,prdserver2
user2 HA_user2 = (ALL) NOPASSWD: CA_Temproot

Host_Alias HA_user3 = server1,server2,test1,test2,prdserver1,prdserver2
user3 HA_user3 = (ALL) NOPASSWD: CA_Temproot

Host_Alias HA_user4 = server1,server2,test1,test2,prdserver1,prdserver2
user4 HA_user4 = (ALL) NOPASSWD: CA_Temproot

linosaurusroot · 11-15-2014, 02:31 AM

Your alias names are supposed to be UPPERCASE - what you have there doesn't even pass "visudo -c" checking.

azamsab · 11-15-2014, 04:03 PM

Thanks for pointing that out, I'll update all Aliases with upper case. But, stil I need some script which can find out which users have root privilege and on what servers. Please let me know if you could help me with that. Thanks again!

TB0ne · 11-15-2014, 05:10 PM

Quote:

Originally Posted by azamsab

Thanks for pointing that out, I'll update all Aliases with upper case. But, stil I need some script which can find out which users have root privilege and on what servers. Please let me know if you could help me with that. Thanks again!

We will be glad to HELP you with the script that YOU have written, but we are NOT going to write it for you. Post what you have written/tried on your own, and we can assist. Also, please read the "Question Guidelines" link in my posting signature.

Turbocapitalist · 11-16-2014, 09:00 AM

Wnat might come close would be to loop through the users or groups of users and run sudo -l for each one. The output would have to be analysed manually. You're unlikely to be able to script anything that will tell you explicitly what will reach root access.

linosaurusroot · 11-17-2014, 04:57 AM

Quote:

Originally Posted by Turbocapitalist

You're unlikely to be able to script anything that will tell you explicitly what will reach root access.

We don't know what all those scripts do that are named in the file but it's easy to report on the "su -" type of command.

In fact I've done this sort of thing before. And things like when root can run
/usr/local/scripts/prtq_script.pl
and if /usr/local/scripts/ is writable by any non-root user that got reported.