[sudo-users] scripting sudo's digest functions

Michael W. Lucas mwlucas at michaelwlucas.com
Tue Jun 25 15:20:11 MDT 2019 

Yes, you'll need to watch out for patches. ;-)

My assumption, if you need this sort of function, is that you have
actual test equipment to deploy on first, then can push out the new
files as part of your upgrade process. Doing this on one host is
probably daft.

And thank you. New version coming soon.

==ml






On Tue, Jun 25, 2019 at 04:11:03PM -0500, Thomas Harrison wrote:
>    ML - I saw that chapter in your book but was concerned that patching
>    could cause issues if a binary changed.  Great book btw!
> 
>    On Tue, Jun 25, 2019, 15:20 Michael W. Lucas
>    <[1]mwlucas at michaelwlucas.com> wrote:
> 
>      Hi,
>      Sudo has a nifty digest-verification function, where it can check
>      the
>      cryptographic digest of a command before running it.
>      At my last job I wrote a couple perl scripts to build
>      platform-specific digest-checking sudoers files for all programs in
>      system directories. I've cleaned them up some and added Linux
>      support. They're not on github because once I do that other folks
>      might find them, and I'm not convinced this is a good thing.  But
>      I'd
>      like some feedback, so I'm posting here.
>      Code is at [2]http://www-old.michaelwlucas.com/sudo/
>      Usage:
>      Set the directories you want to target at the top of
>      $[3]sudodigest.pl.
>      # cd /etc/sudoers.d
>      # [4]sudodigest.pl > 00-digests
>      # [5]ids-sudoers.pl > 01-wheel
>      # visudo -cf /etc/sudoers
>      This creates platform-unique aliases for each command, and an
>      EVERYTHING alias that includes all those aliases. There's also rules
>      to let wheel and sudo groups run everything. But you can cut those
>      out
>      and do aliases like:
>      Cmnd_Alias NOSHELL = EVERYTHING, !/bin/sh, !/bin/bash, !/bin/su
>      %wheel ALL=NOSHELL
>      EVERYTHING is an explicit list of programs in system directories, so
>      it doesn't include user-created /tmp/sh.
>      So: if you need sudo IDS, is this reasonable?
>      ==ml
>      --
>      Michael W. Lucas        [6]https://mwl.io/
>      author of: Absolute OpenBSD, SSH Mastery, git commit murder,
>      Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc...
>      ____________________________________________________________
>      sudo-users mailing list <[7]sudo-users at sudo.ws>
>      For list information, options, or to unsubscribe, visit:
>      [8]https://www.sudo.ws/mailman/listinfo/sudo-users
> 
> References
> 
>    1. mailto:mwlucas at michaelwlucas.com
>    2. http://www-old.michaelwlucas.com/sudo/
>    3. http://sudodigest.pl/
>    4. http://sudodigest.pl/
>    5. http://ids-sudoers.pl/
>    6. https://mwl.io/
>    7. mailto:sudo-users at sudo.ws
>    8. https://www.sudo.ws/mailman/listinfo/sudo-users

-- 
Michael W. Lucas 	https://mwl.io/
author of: Absolute OpenBSD, SSH Mastery, git commit murder,
Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc...

More information about the sudo-users mailing list