Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. users
nessus sudo support question
Jason.Haar at trimble
Oct 2, 2008, 8:09 PM
Post #1 of 8 (6212 views)
Permalink
Hi there

I was hoping to be able to use the sudo support to "ease the way" for me
getting access to certain sensitive Unix application servers we have. I
was hoping to be able to convince the App owners that they could use
sudo to limit what the scanner could do down to just the pieces they
were comfortable with.

However, I can see that nessus just assumes sudo is set to allow the
nessus account to run any command as root - not specific ones!

e.g.

sudo: tibs : TTY=pts/22 ; PWD=/home/nessus ; USER=root ;
COMMAND=/bin/sh -c echo nessus_su_${nb:-319115419} ; LC_ALL=C rpm -q -f
'/usr/sbin/sshd' || echo FileIsNotPackaged; echo nessus_su_${ne:-839977099}

Blarg. Basically that means sudo has to allow nessus to run /bin/sh as
root - sorta open don't you think?

How are others managing to cross the "group boundaries" when it comes to
audits? I can't believe that everyone just gives "the security group"
100% admin access to everything?

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: nessus sudo support question [ In reply to ]
raleel at gmail
Oct 3, 2008, 5:44 AM
Post #2 of 8 (5996 views)
Permalink
some places have a user in the domain administrator group that the nessus
scans use. some places have an administrator from the controlling group put
the password into nessus when these scans are run. some do allow the
security group to have root perms.

if this is a major concern for you, you can take the output of the sudo logs
that you have there and construct a fairly restricted set of sudo commands
and pop them into a sudo alias in the sudoers file. This is detailed in man
sudoers or in http://www.courtesan.com/sudo/man/sudoers.html .

I don't doubt that this would be a fairly tedious process :)

On Thu, Oct 2, 2008 at 8:09 PM, Jason Haar <Jason.Haar@trimble.co.nz> wrote:

> Hi there
>
> I was hoping to be able to use the sudo support to "ease the way" for me
> getting access to certain sensitive Unix application servers we have. I
> was hoping to be able to convince the App owners that they could use
> sudo to limit what the scanner could do down to just the pieces they
> were comfortable with.
>
> However, I can see that nessus just assumes sudo is set to allow the
> nessus account to run any command as root - not specific ones!
>
> e.g.
>
> sudo: tibs : TTY=pts/22 ; PWD=/home/nessus ; USER=root ;
> COMMAND=/bin/sh -c echo nessus_su_${nb:-319115419} ; LC_ALL=C rpm -q -f
> '/usr/sbin/sshd' || echo FileIsNotPackaged; echo nessus_su_${ne:-839977099}
>
> Blarg. Basically that means sudo has to allow nessus to run /bin/sh as
> root - sorta open don't you think?
>
> How are others managing to cross the "group boundaries" when it comes to
> audits? I can't believe that everyone just gives "the security group"
> 100% admin access to everything?
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
>



--
Doug Nordwall
Unix, Network, and Security Administrator
You mean the vision is subject to low subscription rates?!!? - Scott Stone,
on MMORPGs
Re: nessus sudo support question [ In reply to ]
Jason.Haar at trimble
Oct 3, 2008, 1:26 PM
Post #3 of 8 (5998 views)
Permalink
Doug Nordwall wrote:
>
> if this is a major concern for you, you can take the output of the
> sudo logs that you have there and construct a fairly restricted set of
> sudo commands and pop them into a sudo alias in the sudoers file. This
> is detailed in man sudoers or
> in http://www.courtesan.com/sudo/man/sudoers.html .
>
> I don't doubt that this would be a fairly tedious process :)
Have you actually tried that? :-)

sudo: tibs : TTY=pts/22 ; PWD=/home/nessus ; USER=root ;
COMMAND=/bin/sh -c echo nessus_su_${nb:-319115419} ; LC_ALL=C rpm -q -f
'/usr/sbin/sshd' || echo FileIsNotPackaged; echo nessus_su_${ne:-839977099}


So I have to make a sudo rule that allows someone to call "/bin/sh" as
root with randomly generated variables - but somehow doesn't allow them
to actually rule /bin/sh as root in general...

That was the whole point of my email - you can't restrict sudo when
called in such a fashion. If it ran "sudo rpm " , etc that would be
achievable - but nessus calls it as "sudo /bin/sh... rpm ..." instead -
which isn't protectable. I bet Tenable have to do it that way for good
reason (probably some poky Unix platform they support can't work any
other way), but it makes the "sudo support" effectively non-existent.

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: nessus sudo support question [ In reply to ]
mikhail at nessus
Oct 3, 2008, 4:39 PM
Post #4 of 8 (5978 views)
Permalink
On Sat, 04 Oct 2008 09:26:09 +1300
Jason Haar <Jason.Haar@trimble.co.nz> wrote:

> That was the whole point of my email - you can't restrict sudo when
> called in such a fashion. If it ran "sudo rpm " , etc that would be
> achievable

If you are allowed to run rpm as root, you can get a full root access
rather easily, as you can replace any system file, or run pre or post
scripts. No?

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: nessus sudo support question [ In reply to ]
Jason.Haar at trimble
Oct 5, 2008, 1:19 PM
Post #5 of 8 (5967 views)
Permalink
Michel Arboi wrote:
>> That was the whole point of my email - you can't restrict sudo when
>> called in such a fashion. If it ran "sudo rpm " , etc that would be
>> achievable
>>
>
> If you are allowed to run rpm as root, you can get a full root access
> rather easily, as you can replace any system file, or run pre or post
> scripts. No?
>
So what you're really saying is that if anyone expects Nessus to be able
to provide a comprehensive report against Unix systems, then it has to
run as root-equivalent? Similar to Windows?

I think that needs saying, as otherwise people might be thinking
otherwise and producing poor reports.

I still think the "unpriv-account-running-sudo" option is better than
directly running as root as sudo logs all invocations via syslog - so
the App owner can see just what nessus did - and when their box crashes
- they won't be able to blame Nessus :-) (my primary concern)

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
RE: nessus sudo support question [ In reply to ]
Jeff.C.Mercer at usps
Oct 6, 2008, 5:46 AM
Post #6 of 8 (5976 views)
Permalink
Wouldn't it be fairly easy to copy the plugin source for the script you
want to use and simply modify the sudo command accordingly?

--------
Jeff Mercer - CISO - Security Vulnerability Assessments


>-----Original Message-----
>From: nessus-bounces@list.nessus.org
>[mailto:nessus-bounces@list.nessus.org] On Behalf Of Jason Haar
>Sent: Friday, October 03, 2008 4:26 PM
>To: nessus@list.nessus.org
>Subject: Re: nessus sudo support question
>
>Doug Nordwall wrote:
>>
>> if this is a major concern for you, you can take the output of the
>> sudo logs that you have there and construct a fairly
>restricted set of
>> sudo commands and pop them into a sudo alias in the sudoers
>file. This
>> is detailed in man sudoers or
>> in http://www.courtesan.com/sudo/man/sudoers.html .
>>
>> I don't doubt that this would be a fairly tedious process :)
>Have you actually tried that? :-)
>
>sudo: tibs : TTY=pts/22 ; PWD=/home/nessus ; USER=root ;
>COMMAND=/bin/sh -c echo nessus_su_${nb:-319115419} ; LC_ALL=C rpm -q -f
>'/usr/sbin/sshd' || echo FileIsNotPackaged; echo
>nessus_su_${ne:-839977099}
>
>
>So I have to make a sudo rule that allows someone to call "/bin/sh" as
>root with randomly generated variables - but somehow doesn't allow them
>to actually rule /bin/sh as root in general...
>
>That was the whole point of my email - you can't restrict sudo when
>called in such a fashion. If it ran "sudo rpm " , etc that would be
>achievable - but nessus calls it as "sudo /bin/sh... rpm ..." instead -
>which isn't protectable. I bet Tenable have to do it that way for good
>reason (probably some poky Unix platform they support can't work any
>other way), but it makes the "sudo support" effectively non-existent.
>
>--
>Cheers
>
>Jason Haar
>Information Security Manager, Trimble Navigation Ltd.
>Phone: +64 3 9635 377 Fax: +64 3 9635 417
>PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>_______________________________________________
>Nessus mailing list
>Nessus@list.nessus.org
>http://mail.nessus.org/mailman/listinfo/nessus
>
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: nessus sudo support question [ In reply to ]
mikhail at nessus
Oct 6, 2008, 8:36 AM
Post #7 of 8 (5967 views)
Permalink
On Sunday 05 October 2008 22:19:38 Jason Haar wrote:
> So what you're really saying is that if anyone expects Nessus to be able
> to provide a comprehensive report against Unix systems, then it has to
> run as root-equivalent?

root is necessary for the "audit" tests.
Patch checking can be done without extended privileges on most OS but root is
necessary on Trusted Solaris IIRC. On Gentoo, the account must at least be in
the "portage" group. There might be additions restrictions if the system is
running GrSec, SELinux or any similar security system...

> I think that needs saying, as otherwise people might be thinking
> otherwise and producing poor reports.

Yes, it is definitely better to run as root.

> I still think the "unpriv-account-running-sudo" option is better than
> directly running as root as sudo logs all invocations via syslog

sudo is also necessary on systems where the root account is disabled (Ubuntu
and MacOS for example)

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: nessus sudo support question [ In reply to ]
Jason.Haar at trimble
Oct 6, 2008, 12:40 PM
Post #8 of 8 (5956 views)
Permalink
Mercer, Jeff C - Raleigh, NC wrote:
> Wouldn't it be fairly easy to copy the plugin source for the script you
> want to use and simply modify the sudo command accordingly?
>
> -----

Nah. I'd guess the elaborate environment variable passing that the ssh*
scripts use are there for a reason. I bet the moment I start fiddling
with it - I'd break a whole bunch of things. I'll stick with the "this
is the way it has to be done" approach :-)

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal