[[aix:aix_enable-sudo-script]]
 
Trace: aix_enable-sudo-script

Table of Contents

Populating Sudoers to Clients

Intro

In order to ensure that the sudoers file is managed properly a decision has been made to centralise the updating of sudoers file on the nim server b0045nim. Therefore, there will be one global sudoers file for all client sudo servers. This method should not cause any security issues because each server is reference for specific commands ensuring that users cannot run commands on other servers.

Once the sudoers file has been updated on the nim server, a separate script, currently called populate.script, will be used to push out the updated sudoers file from the nim server to all the sudo installed servers.

In Brief you will need to:

- update the sudoers file on sap-build and copy it back to b0045nim (ensuring you keep an archive of pervious version)

- run the checksudo.ksh script to get a list of current sudo servers (populate.script relies on this file being up-to-date)

- run the populate.script on the nim server to push out the sudoers file to all sudo installed servers

Global Sudoers Script

The sudoers_global file is current stored in /export/dsl/freeware/sudo/script on b0045nim. It is a symbolic link to a file called sudoers_current in the directory /export/dsl/freeware/sudo/sudoers_arch. To ensure that there is an archive, in case of roll back, any changes to the sudoers file should involve renaming the sudoers_current file to the days date in the following format sudoers.20100210_v1 (note you can have numerous versions in one day denoted by the v number).

Updating the Sudoers Using Visudo

To edit the current script you will need to secure copy the current_sudoers file from the nim server over to sap-build, as the nim server does not have sudo and therefore visudo installed.

From b0045nim: 

# pwd
/export/dsl/freeware/sudo/sudoers_arch
# scp sudoers_current sap-build:/etc/sudoers_copy_b0045nim
sudoers_current                                                 100%   13KB    13.4KB/s   00:00

Log on to sap-build and backup the current sudoers file /etc/sudoers to /etc/sudoers sudoers.20100426v1 for example 

# mv /etc/sudoers /etc/sudoers.20100426v1

Then move the file you copied from b0045nim earlier to sudoers ready to be edited 

# mv sudoers_copy_b0045nim sudoers

Use visudo command to edit the script as it checks the syntax of the file. 

# visudo

Once the edit of the sudoers file is complete you can scp it back to the nim server 

# scp /etc/sudoers b0045nim:/export/dsl/freeware/sudo/sudoers_arch/sudoers_current

Populating the Sudo Servers

Once the global sudoers file has been updated you can use the populating script to push out to all the sudo clients from b0045nim.

The populating script relies on a list of servers (sudoinstalledlist.out) which is generated by checksudo.ksh script, both of these files are in the directory /export/dsl/freeware/sudo/script. Checksudo script was created to ensure that we get all the current sudo installed servers, as a static created script would be out of date over a period of time.

On B0045nim server navigate to the following directory: /export/dsl/freeware/sudo/script and run the ./populate.script > /tmp/log_sudo 2>&1 & (this will output to a logfile in /tmp/log_sudo which you can tail -f to see progress) 

# pwd
/export/dsl/freeware/sudo/script
# ./populate.script > /tmp/log_sudo 2>&1 &
# tail -f /tmp/log_sudo

The populate.script script calls on the sudoinstalledlist.out, which contains the list of servers to push the sudoers update out to.

Populating Script

The following is the current version of the populating script, however please note that this is an iterative process and is currently being updated in readiness to be finalised for use.

Location of script: /export/dsl/freeware/sudo/script/populate.script

#!/bin/bash touch /tmp/log_sudo SUDO_DIR=/export/dsl/freeware/sudo/

cd $SUDO_DIR

# define date format to be used when renaming existng sudoers file on client server date=`date +%Y%m%d%H%M`

# defined list of servers with sudo installed #SUDO_SERVS=/export/dsl/freeware/sudo/script/servers.all

#cat /export/dsl/freeware/sudo/script/sudo_servers | while read SUDO_SERVS

# defines sudo servers to allow ssh connection and rename of existing sudoers file using a for loop for SUDO_SERVS in `cat /export/dsl/freeware/sudo/script/sudoinstalled.list` do echo processing $SUDO_SERVS ssh $SUDO_SERVS -q mv /etc/sudoers /etc/sudoers_$date

# secure copy to remote server of sudoers file on nim and rename old file to date of overwrite scp -q /export/dsl/freeware/sudo/script/sudoers_global $SUDO_SERVS:/etc/sudoers done # use defined list of sudo servers to scp and upload file from nim to defined remote server

# requires error logging or log of completed copies # ./populate.script > /tmp/log_sudo 2>&1 & (when running to output to logfile) # will need to do clean up of old sudoers files older than 2 months

 
aix/aix_enable-sudo-script.txt · Last modified: 06/04/2022 09:08 by andrew