Doug Nordwall wrote:
>
> if this is a major concern for you, you can take the output of the
> sudo logs that you have there and construct a fairly restricted set of
> sudo commands and pop them into a sudo alias in the sudoers file. This
> is detailed in man sudoers or
> in http://www.courtesan.com/sudo/man/sudoers.html .
>
> I don't doubt that this would be a fairly tedious process :)
Have you actually tried that? :-)
sudo: tibs : TTY=pts/22 ; PWD=/home/nessus ; USER=root ;
COMMAND=/bin/sh -c echo nessus_su_${nb:-319115419} ; LC_ALL=C rpm -q -f
'/usr/sbin/sshd' || echo FileIsNotPackaged; echo nessus_su_${ne:-839977099}
So I have to make a sudo rule that allows someone to call "/bin/sh" as
root with randomly generated variables - but somehow doesn't allow them
to actually rule /bin/sh as root in general...
That was the whole point of my email - you can't restrict sudo when
called in such a fashion. If it ran "sudo rpm " , etc that would be
achievable - but nessus calls it as "sudo /bin/sh... rpm ..." instead -
which isn't protectable. I bet Tenable have to do it that way for good
reason (probably some poky Unix platform they support can't work any
other way), but it makes the "sudo support" effectively non-existent.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
