Sudo Pair
- By bootstack-charmers
- Monitoring
juju deploy sudo-pair
Discuss this charm
Share your thoughts on this charm with the community on discourse.
Overview
sudo_pair is a sudo plugin that ensure that no user can act entirely on their own authority within these systems. Once configured if a user tries to get root privileges, he will need an authorization from a pair that will monitor over his session.
Build
cd sudo-pair
charm build
Usage
Add to an existing application using juju-info relation.
Example:
juju deploy ubuntu
juju deploy ./sudo-pair
juju add-unit ubuntu
juju add-relation ubuntu sudo-pair
Configuration
The user can configure the following parameters:
groups_enforced(default:root): This is a comma-separated list of group names that sudo_pair will gate access to. If a user is sudoing to a user that is a member of one of these groups, they will be required to have a pair approve their session.groups_exempted(default:none): This is a comma-separated list of group names whose users will be exempted from the requirements of sudo_pair. Note that this is not the opposite of the groups_enforced flag. Whereas groups_enforced gates access to groups, groups_exempted exempts users sudoing from groups. For instance, this setting can be used to ensure that oncall sysadmins can respond to outages without needing to find a pair.bypass_cmds(default:none): This is a comma-separated list of full path commands that have to be bypassed from sudo pairingbypass_group(default:none): This is the unix group for which the commands specified through bypass_cmds will be bypassed from sudo pairing approvalauto_approve(default:true): If true, auto approval is permitted.
Testing
Unit tests has been developed to test templates rendering for sudo.conf, sudoers.d/91-bypass-sudopair-cmds, sudo_approve
To run unit tests:
tox -e unit
Deploy tests has been developed using python-libjuju
To run tests using python-libjuju:
tox -e functional
Contact Information
BootStack Charmers bootstack-charmers@lists.canonical.com