[sudo-users] scripting sudo's digest functions
Thomas Harrison
pjcp64 at cox.net
Tue Jun 25 15:13:57 MDT 2019
I'll definitely give it a shot! I used to play w tripwire a lot back in
the day and even created my own cksum monitoring script.
On Tue, Jun 25, 2019, 16:11 Thomas Harrison <pjcp64 at cox.net> wrote:
> ML - I saw that chapter in your book but was concerned that patching could
> cause issues if a binary changed. Great book btw!
>
> On Tue, Jun 25, 2019, 15:20 Michael W. Lucas <mwlucas at michaelwlucas.com>
> wrote:
>
>> Hi,
>>
>> Sudo has a nifty digest-verification function, where it can check the
>> cryptographic digest of a command before running it.
>>
>> At my last job I wrote a couple perl scripts to build
>> platform-specific digest-checking sudoers files for all programs in
>> system directories. I've cleaned them up some and added Linux
>> support. They're not on github because once I do that other folks
>> might find them, and I'm not convinced this is a good thing. But I'd
>> like some feedback, so I'm posting here.
>>
>> Code is at http://www-old.michaelwlucas.com/sudo/
>>
>> Usage:
>>
>> Set the directories you want to target at the top of $sudodigest.pl.
>>
>> # cd /etc/sudoers.d
>> # sudodigest.pl > 00-digests
>> # ids-sudoers.pl > 01-wheel
>> # visudo -cf /etc/sudoers
>>
>> This creates platform-unique aliases for each command, and an
>> EVERYTHING alias that includes all those aliases. There's also rules
>> to let wheel and sudo groups run everything. But you can cut those out
>> and do aliases like:
>>
>> Cmnd_Alias NOSHELL = EVERYTHING, !/bin/sh, !/bin/bash, !/bin/su
>> %wheel ALL=NOSHELL
>>
>> EVERYTHING is an explicit list of programs in system directories, so
>> it doesn't include user-created /tmp/sh.
>>
>> So: if you need sudo IDS, is this reasonable?
>>
>> ==ml
>>
>>
>> --
>> Michael W. Lucas https://mwl.io/
>> author of: Absolute OpenBSD, SSH Mastery, git commit murder,
>> Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc...
>> ____________________________________________________________
>> sudo-users mailing list <sudo-users at sudo.ws>
>> For list information, options, or to unsubscribe, visit:
>> https://www.sudo.ws/mailman/listinfo/sudo-users
>>
>
More information about the sudo-users
mailing list