I have a mix of RHEL, HP-UX and Solaris based devices. We use CFenigine to manage part of configuration. The devices are located at 40 different sites.
basic requirements:
- Access is manage from a central location, possible CFengine manged
- Sudoer file is updated at least once a day, again possible CFegine managed
- Sudoer file would need to be built custom for each device, a complex sudoer file is not easy to manage.
- Compare the existing sudo file to the proposed one to see if unauthorized changes were made. I realize this would be had to do especially if there are authorized changes in the new file.
- All commands are logged.
- Once privileged access is granted user gets access w/o having to update the client
- If privileged access is revoked users will no longer have privileged access w/o having to update the client
- A reason for being root is asked of the user before granting "su -" access but is not logged if they user just runs a command.
- Limit changing root's password, even for root.
A tool like Power Broker would be great but I have don't have the budget for it. I looked at Free IPA but it looks complex and requires a greater commitment then just privileged access control.
Googling did not provide a possible solution but I am hoping the experts on the list will point me in the right direction or give some advice.
--
Jamie Bohr
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
