0
We are performing vulnerability assessment scans against a Ubuntu server. I'm trying to lock down this scanning account with least privilege and only grant the commands the tool requires to do it's job (perform a VA assessment) vs. giving is full sudo privileges.
Upon reviewing the /var/log/auth file to determine which sudo commands are being issued during the scan I noticed the command is issued in the following format:
/bin/bash -c echo 'Rapid7Echo'; (COMMAND) | sed 's/^/R7stdout: /'
*** where COMMAND is a specific executable being run, such as cat, echo, java and so on.
Here is an example:
COMMAND=/bin/bash -c echo 'Rapid7Echo';(cat /var/lib/snmp/snmpd.conf) | sed 's/^/R7stdout: /'
If I whitelist "/bin/bash -c echo *" it grants full sudo access for every command issued. I'm hoping that there is a way to allow /bin/bash with the first echo and run the command in first set of round brackets. Example from above.... allow "cat" to run.
Appreciate any help that can be offered.
Thanks!
See
– Kamil Maciorowski – 2019-07-23T00:20:29.470man 5 sudoers
, the fragment fromWildcards in command line arguments should be used with care
toIn most cases it is better to do command line processing outside of the sudoers file in a scripting language
.