%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
# Open second terminal with root shell. Keep this as a possibility to assume
# root privileges if you loose the ability to do so via sudo during testing.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
# Make sure we are looking at the correct version
sudo -V | grep version
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
# Test digest feature
# Make sure that the following line is commented out in /etc/sudoers:
# ALL ALL=(ALL) NOPASSWD: ALL
openssl dgst -sha224 /usr/bin/ls # make note of the hash
# Add this line to sudoers (replace UID by your user ID and HASH by the ls
# hash):
<UID> ALL = sha224:<HASH> /usr/bin/ls
# This should work (asking you a password first)
sudo /usr/bin/ls /
# Now change the hash so that it is wrong and make sure it does not work this
# time
sudo /usr/bin/ls /
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
# add this line to sudoers
ALL ALL=(ALL:ALL) NOPASSWD: ALL
# Make sure it gives you root account
sudo id
# Make sure this changes just your group
sudo -g sol_src id
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
# Test creating a file in etc
sudoedit /etc/test
...
cat /etc/test # Make sure the text is there
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
# Auditing
cd /var/audit
sudo /usr/sbin/audit -t
sudo rm *
sudo /usr/sbin/audit -s
sudo auditreduce * | praudit -s
> file,1970-01-01 00:00:00.000 +00:00,
> file,2014-03-27 10:34:23.000 +00:00,
# Make sure that since the first run we can see new auditing record
sudo auditreduce * | praudit -s
> file,2014-03-27 10:34:23.000 +00:00,
> header,158,2,AUE_sudo,,10.0.2.15,2014-03-27 10:34:23.735 +00:00
> subject,vmarek,root,staff,vmarek,staff,2295,3108723863,5096 202240 10.0.2.2
> path,/var/share/audit
> path,/usr/sbin/auditreduce
> cmd,argcnt,1,20140327103420.not_terminated.S12-43,envcnt,0,
> return,success,0
> file,2014-03-27 10:34:23.000 +00:00,
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
# PAM credentials
# Make sure that 'root' is a role
sudo usermod -K type=role root
# Note the preselection mask, it should probably be 'lo(0x1000,0x1000)'
sudo bash -c 'auditconfig -getpinfo $$'
# Add audit flags to root
sudo rolemod -K audit_flags=lo,ex:no root
# Make sure that the preselection mask now shows new entries (lo,ex)
sudo bash -c 'auditconfig -getpinfo $$'
# Disable PAM credentials in sudo by adding this line to sudoers:
Defaults !pam_setcred
# Make sure that the preselection mask now shows only previous entry
sudo bash -c 'auditconfig -getpinfo $$'
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
# Solaris privileges
# Add this to the end sudoers keeping the 'ALL ALL=(ALL:ALL) NOPASSWD: ALL' above
<UID> ALL = () PRIVS="basic,dtrace_kernel,dtrace_proc,dtrace_user" NOPASSWD: /usr/sbin/dtrace, /usr/bin/bash
# Just your regular id
id
> uid=157888(vmarek) gid=10(staff)
# Sudo normally turning you into root via the 'ALL ALL=(ALL:ALL) NOPASSWD: ALL' line
sudo id
> uid=0(root) gid=0(root)
# For bash it should leave your ID and just grant dtrace privileges
sudo bash -c 'id; ppriv $$'
uid=157888(vmarek) gid=10(staff)
> 2296: bash -c id; ppriv $$
> flags = <none>
> E: basic,dtrace_kernel,dtrace_proc,dtrace_user
> I: basic,dtrace_kernel,dtrace_proc,dtrace_user
> P: basic,dtrace_kernel,dtrace_proc,dtrace_user
> L: basic,dtrace_kernel,dtrace_proc,dtrace_user
# dtrace functionality
sudo dtrace -l -n 'syscall::b*:entry'
> ID PROVIDER MODULE FUNCTION NAME
> 11282 syscall brk entry
> 11550 syscall brandsys entry
> 11642 syscall bind entry
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
# Test noexec
# Verify the following works
$ sudo /usr/perl5/5.12/bin/perl -e 'print "before\n"; system("id -a"); print "after\n"'
before
uid=0(root) gid=0(root) groups=0(root),1(other),2(bin),3(sys),4(adm),6(mail),7(tty),8(lp),12(daemon)
after
# Add the following to sudoers
ALL ALL = NOPASSWD: NOEXEC: /usr/perl5/5.12/bin/perl
# Now Perl should be prevent to run further commands, so the output is
$ sudo /usr/perl5/5.12/bin/perl -e 'print "before\n"; system("id -a"); print "after\n"'
before
after
# Perl itself works as expected
$ /usr/perl5/5.12/bin/perl -e 'print "before\n"; system("id -a"); print "after\n"'
before
uid=101(rimmer) gid=10(staff) groups=10(staff)
after