Hi there
I was hoping to be able to use the sudo support to "ease the way" for me
getting access to certain sensitive Unix application servers we have. I
was hoping to be able to convince the App owners that they could use
sudo to limit what the scanner could do down to just the pieces they
were comfortable with.
However, I can see that nessus just assumes sudo is set to allow the
nessus account to run any command as root - not specific ones!
e.g.
sudo: tibs : TTY=pts/22 ; PWD=/home/nessus ; USER=root ;
COMMAND=/bin/sh -c echo nessus_su_${nb:-319115419} ; LC_ALL=C rpm -q -f
'/usr/sbin/sshd' || echo FileIsNotPackaged; echo nessus_su_${ne:-839977099}
Blarg. Basically that means sudo has to allow nessus to run /bin/sh as
root - sorta open don't you think?
How are others managing to cross the "group boundaries" when it comes to
audits? I can't believe that everyone just gives "the security group"
100% admin access to everything?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
I was hoping to be able to use the sudo support to "ease the way" for me
getting access to certain sensitive Unix application servers we have. I
was hoping to be able to convince the App owners that they could use
sudo to limit what the scanner could do down to just the pieces they
were comfortable with.
However, I can see that nessus just assumes sudo is set to allow the
nessus account to run any command as root - not specific ones!
e.g.
sudo: tibs : TTY=pts/22 ; PWD=/home/nessus ; USER=root ;
COMMAND=/bin/sh -c echo nessus_su_${nb:-319115419} ; LC_ALL=C rpm -q -f
'/usr/sbin/sshd' || echo FileIsNotPackaged; echo nessus_su_${ne:-839977099}
Blarg. Basically that means sudo has to allow nessus to run /bin/sh as
root - sorta open don't you think?
How are others managing to cross the "group boundaries" when it comes to
audits? I can't believe that everyone just gives "the security group"
100% admin access to everything?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus