Setup of the SUDO command in Version 4
Note |
---|
The article you wrote assumes the user cred is either root, or aliased and a part of the SUDOer’s group for access to DMIDECODE. While in v3 in most cases uses a Child Credential, and then runs a script to grant a single SUDO -I session. |
...
Background
iQSonar v3 used a “Shell on Shell” approach to SSH scanning. This introduced complications when it came to the complexities and variances introduced by different versions of shells and terminals on different distributions of linux and unix operating systems. The approach effectively emulated what an end user would do on a target machine. The problems came when messages like “You’ve got mail” were printed to the terminal. While a human could simply ignore the text, it introduced many difficulties for iQSonar and often contaminated the results or caused scans to fail.
In iQSonar v4 the decision was made to use ssh channels as opposed to a shell on shell approach. This removed any complications introduced by shells and terminals and allowed the execution and interpretation of commands and raw results independently. While this approach is faster and more accurate, it does however bypass the loading of any shell so any shell profile setup (such as aliases) will be bypassed. This meant that the v3 approach to sudo (creating Aliases) was no longer effective as the alias information was only loaded once the shell was loaded.
In v4, iQSonar has taken control of sudo execution. As opposed to relying on complex target environment configuration to dictate where and when sudo is run, iQSonar v4 allows for central control of sudo execution. Once SUDO is enabled in iQSonar, when scanning a target, iQSonar first checks to see if the command is available to be run with sudo, if the answer is yes, it then executes the command with sudo, if not it executes it directly. There are specific configurations that need to be enabled on the target device with regard to sudo, but provided these configurations are met, iQSonar will scan any target environment using sudo where required
Note |
---|
In order for this to work the iQSonar scanning user must be added to the sudoers file and REQUIRETTY directive must be disabled either at a user or system level more details available in the scanning pre-requisites document |
Step-by-step guide
- From the UI navigate to Locations > Connections > SHH
- Change commandprefixcode to SUDO
- Change usecommandprefix to True
...
The command is:
{set the path};if sudo -l {command}>/dev/null; then sudo {command}; else {command};fi
The precise behaviour might be dependent on the user’s standard shell. ‘if’ is a shell command that can have slightly different behaviors on different shells.
Info |
---|
SUDO has to be in capital form as above |
Related articles
Filter by label (Content by label) | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Page Properties | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
|