[sudo-users] scripting sudo's digest functions
pjcp64 at cox.net
Tue Jun 25 15:11:03 MDT 2019
ML - I saw that chapter in your book but was concerned that patching could
cause issues if a binary changed. Great book btw!
On Tue, Jun 25, 2019, 15:20 Michael W. Lucas <mwlucas at michaelwlucas.com>
> Sudo has a nifty digest-verification function, where it can check the
> cryptographic digest of a command before running it.
> At my last job I wrote a couple perl scripts to build
> platform-specific digest-checking sudoers files for all programs in
> system directories. I've cleaned them up some and added Linux
> support. They're not on github because once I do that other folks
> might find them, and I'm not convinced this is a good thing. But I'd
> like some feedback, so I'm posting here.
> Code is at http://www-old.michaelwlucas.com/sudo/
> Set the directories you want to target at the top of $sudodigest.pl.
> # cd /etc/sudoers.d
> # sudodigest.pl > 00-digests
> # ids-sudoers.pl > 01-wheel
> # visudo -cf /etc/sudoers
> This creates platform-unique aliases for each command, and an
> EVERYTHING alias that includes all those aliases. There's also rules
> to let wheel and sudo groups run everything. But you can cut those out
> and do aliases like:
> Cmnd_Alias NOSHELL = EVERYTHING, !/bin/sh, !/bin/bash, !/bin/su
> %wheel ALL=NOSHELL
> EVERYTHING is an explicit list of programs in system directories, so
> it doesn't include user-created /tmp/sh.
> So: if you need sudo IDS, is this reasonable?
> Michael W. Lucas https://mwl.io/
> author of: Absolute OpenBSD, SSH Mastery, git commit murder,
> Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc...
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
More information about the sudo-users