Michel Arboi wrote: >> That was the whole point of my email - you can't restrict sudo when >> called in such a fashion. If it ran "sudo rpm " , etc that would be >> achievable >> > > If you are allowed to run rpm as root, you can get a full root access > rather easily, as you can replace any system file, or run pre or post > scripts. No? > So what you're really saying is that if anyone expects Nessus to be able to provide a comprehensive report against Unix systems, then it has to run as root-equivalent? Similar to Windows?
I think that needs saying, as otherwise people might be thinking otherwise and producing poor reports. I still think the "unpriv-account-running-sudo" option is better than directly running as root as sudo logs all invocations via syslog - so the App owner can see just what nessus did - and when their box crashes - they won't be able to blame Nessus :-) (my primary concern) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
