SUDO Privileges

Owned by Former user (Deleted)
Mar 18, 2020
2 min read


When the iQCloud appliance logs in to a target using SSH, it has a number of commands that it needs to run in order to fully scan the target. Some of these commands can be run with normal user permissions, but some need escalated permissions; So, unless you have provided the appliance with root user credentials, you will need to configure the scan account user with the needed permissions via sudo.

The list of commands which are required to run using sudo may change as new appliance versions are released. If this list changes, this article will be updated to reflect any new requirements, and the applaince version which introduced the new requirement will be indicated.

Instructions

Typically, the command to edit sudo permissions for a user on any unix like operating system is visudo, and it invokes the system editor (usually nano or vi / vim) to edit a special configuration file.

The easiest approach is to allow the scan user to run all commands using sudo - this approach removes any need to update the sudoers file when the appliance is updated, but it also poses a potential security vulnerability.

# User privilege specification root ALL=(ALL:ALL) ALL scanuser ALL=(ALL) NOPASSWD: ALL

 

A more robust approach would be to grant the account a list of explicitly permitted commands. This is more robust as a user who managed to compromise the scan account credentials would not be able to run command not already on the list of commands authorised to the appliance - and these commands are generally non-destructive. The generic syntax to allow a single command (in this example /bin/ls )to be run without a password prompt would be:

# User privilege specification scanuser ALL=NOPASSWD: /bin/ls

A more realistic example (since everyone can already use the ls command), might be to allow the scan user to query hardware data and boot data. (the dmesg and dmidecode commands return differing results depending on whether the user is root or not in some unix/linux versions.

# Allow everyone query hardware results %users ALL=(ALL) NOPASSWD=/usr/sbin/dmidecode, /usr/bin/dmesg

That entry demonstrates supplying a comma separated list of commands.

Sample sudoers entry (Appliance 4.5.1410, RHEL 7.7 target with Docker installed)

Note as some of the parameters passed to the commands contain docker Container IDs (e.g. the ln and rm commands) the full commands cannot be passed but are documented in an appliance release notes.

Commands not found on RHEL 7.7 that would be needed on other platforms include

  • pfiles

  • pargs

  • lspv

  • bootinfo

  • print_manifest

  • cstm