Design suggestion for sudo

[roddergreg]

I'd like to recommend using the /etc/sudoers.d directory in place on writing all the nagioslogserver sudo entries directly into /etc/sudoers. Using the /etc/sudoers.d makes managing sudo configurations much easier in my opinion.

[sreinhardt]

Which OS did you happen to install on? I know that we keep the usage of original sudoers file for Cent\RHEL 5 varieties that don't necessarily support the config folder. However if you are using Cent\RHEL 6, I would have to check, but I would imagine it to properly separate itself from the main sudoers file. Does this not appear to be the case?

[roddergreg]

Installed on RHEL 6.5.

[roddergreg]

We generally try to keep the /etc/sudoers the same across all our servers. This makes sudoers easier to manage using a configuration tools such as puppet or salt. We have many rhel 5 servers using /etc/sudoers.d. To get this working you need sudo >=1.7.2. version with a include variable pointing at /etc/sudoers.d

Code: Select all

#includedir /etc/sudoers.d

Remembering that "#" in the sudoers file is not a comment. This is a requirement.

My /etc/sudoers file has all the nagioslogserver entries appended to the end

Code: Select all

User_Alias      NAGIOSLOGSERVER=nagios
User_Alias      NAGIOSLOGSERVERWEB=apache
NAGIOSLOGSERVER ALL = NOPASSWD:/etc/init.d/logstash start
NAGIOSLOGSERVER ALL = NOPASSWD:/etc/init.d/logstash stop
NAGIOSLOGSERVER ALL = NOPASSWD:/etc/init.d/logstash restart
NAGIOSLOGSERVER ALL = NOPASSWD:/etc/init.d/logstash reload
NAGIOSLOGSERVER ALL = NOPASSWD:/etc/init.d/logstash status
NAGIOSLOGSERVER ALL = NOPASSWD:/etc/init.d/elasticsearch start
NAGIOSLOGSERVER ALL = NOPASSWD:/etc/init.d/elasticsearch stop
NAGIOSLOGSERVER ALL = NOPASSWD:/etc/init.d/elasticsearch restart
NAGIOSLOGSERVER ALL = NOPASSWD:/etc/init.d/elasticsearch reload
NAGIOSLOGSERVER ALL = NOPASSWD:/etc/init.d/elasticsearch status
NAGIOSLOGSERVER ALL = NOPASSWD:/usr/local/nagioslogserver/scripts/change_timezone.sh
NAGIOSLOGSERVERWEB ALL = NOPASSWD:/etc/init.d/logstash start
NAGIOSLOGSERVERWEB ALL = NOPASSWD:/etc/init.d/logstash stop
NAGIOSLOGSERVERWEB ALL = NOPASSWD:/etc/init.d/logstash restart
NAGIOSLOGSERVERWEB ALL = NOPASSWD:/etc/init.d/logstash reload
NAGIOSLOGSERVERWEB ALL = NOPASSWD:/etc/init.d/logstash status
NAGIOSLOGSERVERWEB ALL = NOPASSWD:/etc/init.d/elasticsearch start
NAGIOSLOGSERVERWEB ALL = NOPASSWD:/etc/init.d/elasticsearch stop
NAGIOSLOGSERVERWEB ALL = NOPASSWD:/etc/init.d/elasticsearch restart
NAGIOSLOGSERVERWEB ALL = NOPASSWD:/etc/init.d/elasticsearch reload
NAGIOSLOGSERVERWEB ALL = NOPASSWD:/etc/init.d/elasticsearch status
NAGIOSLOGSERVERWEB ALL = NOPASSWD:/usr/local/nagioslogserver/scripts/get_logstash_ports.sh

[abrist]

We have many rhel 5 servers using /etc/sudoers.d. To get this working you need sudo >=1.7.2. version with a include variable pointing at /etc/sudoers.d

I think the main issue is that there are some whose repos are not new enough to include 1.7.2/newer. I do believe on the newer distro versions XI does indeed use the .d folder.

[roddergreg]

Just a suggestion. Take it or leave it

[abrist]

Fair enough. I think we will most definitely be using the .d directories on the newer systems.