> I recently because the Senior Server Architect (Server Administrator) and > now support over 1500 servers and workstations and am looking for an easier > way to mange privileged access. > I have a mix of RHEL, HP-UX and Solaris based devices. We use CFenigine to > manage part of configuration. The devices are located at 40 different > sites. > basic requirements: > Access is manage from a central location, possible CFengine manged > Sudoer file is updated at least once a day, again possible CFegine managed > Sudoer file would need to be built custom for each device, a complex sudoer > file is not easy to manage. > Compare the existing sudo file to the proposed one to see if unauthorized > changes were made. I realize this would be had to do especially if there > are authorized changes in the new file. > All commands are logged. > advanced requirements, things that would be nice to have > Once privileged access is granted user gets access w/o having to update the > client > If privileged access is revoked users will no longer have privileged access > w/o having to update the client > A reason for being root is asked of the user before granting "su -" access > but is not logged if they user just runs a command. > Limit changing root's password, even for root. Rather than create different /etc/sudoers for each box, can't you use a name service (with >1500 boxes you must already have one running) and set up netgroups for users, commands, boxes, and auths? -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
