Wouldn't it be fairly easy to copy the plugin source for the script you want to use and simply modify the sudo command accordingly?
-------- Jeff Mercer - CISO - Security Vulnerability Assessments >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Jason Haar >Sent: Friday, October 03, 2008 4:26 PM >To: [email protected] >Subject: Re: nessus sudo support question > >Doug Nordwall wrote: >> >> if this is a major concern for you, you can take the output of the >> sudo logs that you have there and construct a fairly >restricted set of >> sudo commands and pop them into a sudo alias in the sudoers >file. This >> is detailed in man sudoers or >> in http://www.courtesan.com/sudo/man/sudoers.html . >> >> I don't doubt that this would be a fairly tedious process :) >Have you actually tried that? :-) > >sudo: tibs : TTY=pts/22 ; PWD=/home/nessus ; USER=root ; >COMMAND=/bin/sh -c echo nessus_su_${nb:-319115419} ; LC_ALL=C rpm -q -f >'/usr/sbin/sshd' || echo FileIsNotPackaged; echo >nessus_su_${ne:-839977099} > > >So I have to make a sudo rule that allows someone to call "/bin/sh" as >root with randomly generated variables - but somehow doesn't allow them >to actually rule /bin/sh as root in general... > >That was the whole point of my email - you can't restrict sudo when >called in such a fashion. If it ran "sudo rpm " , etc that would be >achievable - but nessus calls it as "sudo /bin/sh... rpm ..." instead - >which isn't protectable. I bet Tenable have to do it that way for good >reason (probably some poky Unix platform they support can't work any >other way), but it makes the "sudo support" effectively non-existent. > >-- >Cheers > >Jason Haar >Information Security Manager, Trimble Navigation Ltd. >Phone: +64 3 9635 377 Fax: +64 3 9635 417 >PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 > >_______________________________________________ >Nessus mailing list >[email protected] >http://mail.nessus.org/mailman/listinfo/nessus > _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
