Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 13 Next »

Background

iQSonar v3 used a “Shell on Shell” approach to SSH scanning. This introduced complications when it came to the complexities and variances introduced by different versions of shells and terminals on different distributions of linux and unix operating systems. The approach effectively emulated what an end user would do on a target machine. The problems came when messages like “You’ve got mail” were printed to the terminal. While a human could simply ignore the text, it introduced many difficulties for iQSonar and often contaminated the results or caused scans to fail.

In iQSonar v4 the decision was made to use ssh channels as opposed to a shell on shell approach. This removed any complications introduced by shells and terminals and allowed the execution and interpretation of commands and raw results independently. While this approach is faster and more accurate, it does however bypass the loading of any shell so any shell profile setup (such as aliases) will be bypassed. This meant that the v3 approach to sudo (creating Aliases) was no longer effective as the alias information was only loaded once the shell was loaded.

In v4, iQSonar has taken control of sudo execution. As opposed to relying on complex target environment configuration to dictate where and when sudo is run, iQSonar v4 allows for central control of sudo execution. Once SUDO is enabled in iQSonar, when scanning a target, iQSonar first checks to see if the command is available to be run with sudo, if the answer is yes, it then executes the command with sudo, if not it executes it directly. There are specific configurations that need to be enabled on the target device with regard to sudo, but provided these configurations are met, iQSonar will scan any target environment using sudo where required

In order for this to work the iQSonar scanning user must be added to the sudoers file and REQUIRETTY directive must be disabled either at a user or system level more details available in the scanning pre-requisites document

 

Step-by-step guide

  1. From the UI navigate to Locations > Connections > SHH
  2. Change commandprefixcode to SUDO
  3. Change usecommandprefix to True

 

The command is:

{set the path};if sudo -l {command}>/dev/null; then sudo {command}; else {command};fi

The precise behaviour might be dependent on the user’s standard shell. ‘if’ is a shell command that can have slightly different behaviors on different shells.

 

 

 

 

 

  • No labels