[sudo-users] scripting sudo's digest functions

Thomas Harrison pjcp64 at cox.net
Tue Jun 25 15:13:57 MDT 2019

I'll definitely give it a shot!  I used to play w tripwire a lot back in
the day and even created my own cksum monitoring script.

On Tue, Jun 25, 2019, 16:11 Thomas Harrison <pjcp64 at cox.net> wrote:

> ML - I saw that chapter in your book but was concerned that patching could
> cause issues if a binary changed.  Great book btw!
> On Tue, Jun 25, 2019, 15:20 Michael W. Lucas <mwlucas at michaelwlucas.com>
> wrote:
>> Hi,
>> Sudo has a nifty digest-verification function, where it can check the
>> cryptographic digest of a command before running it.
>> At my last job I wrote a couple perl scripts to build
>> platform-specific digest-checking sudoers files for all programs in
>> system directories. I've cleaned them up some and added Linux
>> support. They're not on github because once I do that other folks
>> might find them, and I'm not convinced this is a good thing.  But I'd
>> like some feedback, so I'm posting here.
>> Code is at http://www-old.michaelwlucas.com/sudo/
>> Usage:
>> Set the directories you want to target at the top of $sudodigest.pl.
>> # cd /etc/sudoers.d
>> # sudodigest.pl > 00-digests
>> # ids-sudoers.pl > 01-wheel
>> # visudo -cf /etc/sudoers
>> This creates platform-unique aliases for each command, and an
>> EVERYTHING alias that includes all those aliases. There's also rules
>> to let wheel and sudo groups run everything. But you can cut those out
>> and do aliases like:
>> Cmnd_Alias NOSHELL = EVERYTHING, !/bin/sh, !/bin/bash, !/bin/su
>> %wheel ALL=NOSHELL
>> EVERYTHING is an explicit list of programs in system directories, so
>> it doesn't include user-created /tmp/sh.
>> So: if you need sudo IDS, is this reasonable?
>> ==ml
>> --
>> Michael W. Lucas        https://mwl.io/
>> author of: Absolute OpenBSD, SSH Mastery, git commit murder,
>> Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc...
>> ____________________________________________________________
>> sudo-users mailing list <sudo-users at sudo.ws>
>> For list information, options, or to unsubscribe, visit:
>> https://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list