[Discuss] [BBLISA] audit root/sudo users for RHEL 6 server

[bill.n1vux at gmail.com (Bill Ricker)]

On Fri, Apr 17, 2020 at 2:58 PM John Malloy <jomalloy at gmail.com> wrote:

> They just want to know who can login as [root] or sudo
> These are both Oracle servers and they only have a [root] and Oracle
> account
> There?s no additional users in the Sudo file
>
>
> > What is the best way to provide proof to an audit person who needs to
> > know all the root/sudo users for  a RHEL 6 server?
>

Some auditors collect their own reports ...

> > > We can provide the /etc/passwd   &   /etc/sudoers file


Probably need to provide */etc/group* as well, since sudoers can grant
privilege on a secondary group membership, typically "*wheel*" (or
sometimes "*sudoers*").

If you have */etc/sudoers.d/ * directory on the server, provide all the
files under there too ...
(Not sure if that's even an option on RHEL6, but it's useful with
deployment tools.)

> > (the auditor may not know how to read these files)
>

If not, you may need a better grade of auditor ...

Zipping up the files should be good enough ... unless they're Windows only
people trying to audit your Linux servers too.

I see one script to do reporting on Sudoers. (If you have the .d directory
you have invoke it per file.)
I haven't tried it, and frankly, if running this as root you should read
the code carefully before running any script as Root !!

https://github.com/jeremypruitt/sudoers-report

YMMV.

>
>

>
> --
Bill Ricker
bill.n1vux at gmail.com
https://www.linkedin.com/in/n1vux