2677N/A%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
2677N/A
2677N/A# Open second terminal with root shell. Keep this as a possibility to assume
2677N/A# root privileges if you loose the ability to do so via sudo during testing.
2677N/A
2677N/A%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
2677N/A
2677N/A# Make sure we are looking at the correct version
2677N/Asudo -V | grep version
2677N/A
2677N/A%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
2677N/A
2677N/A# Test digest feature
2677N/A
5495N/A# Make sure that the following line is commented out in /etc/sudoers:
5495N/A# ALL ALL=(ALL) NOPASSWD: ALL
5495N/A
2677N/Aopenssl dgst -sha224 /usr/bin/ls # make note of the hash
2677N/A
2677N/A# Add this line to sudoers (replace UID by your user ID and HASH by the ls
2677N/A# hash):
2677N/A<UID> ALL = sha224:<HASH> /usr/bin/ls
2677N/A
2677N/A# This should work (asking you a password first)
2677N/Asudo /usr/bin/ls /
2677N/A
2677N/A# Now change the hash so that it is wrong and make sure it does not work this
2677N/A# time
2677N/Asudo /usr/bin/ls /
2677N/A
2677N/A%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
2677N/A
2677N/A# add this line to sudoers
2677N/AALL ALL=(ALL:ALL) NOPASSWD: ALL
2677N/A
2677N/A# Make sure it gives you root account
2677N/Asudo id
2677N/A
2677N/A# Make sure this changes just your group
2677N/Asudo -g sol_src id
2677N/A
2677N/A%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
2677N/A
2677N/A# Test creating a file in etc
2677N/Asudoedit /etc/test
2677N/A...
2677N/Acat /etc/test # Make sure the text is there
2677N/A
2677N/A%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
2677N/A
2677N/A# Auditing
2677N/Acd /var/audit
2677N/Asudo /usr/sbin/audit -t
2677N/Asudo rm *
2677N/Asudo /usr/sbin/audit -s
2677N/Asudo auditreduce * | praudit -s
2677N/A> file,1970-01-01 00:00:00.000 +00:00,
2677N/A> file,2014-03-27 10:34:23.000 +00:00,
2677N/A
2677N/A# Make sure that since the first run we can see new auditing record
2677N/Asudo auditreduce * | praudit -s
2677N/A> file,2014-03-27 10:34:23.000 +00:00,
2677N/A> header,158,2,AUE_sudo,,10.0.2.15,2014-03-27 10:34:23.735 +00:00
2677N/A> subject,vmarek,root,staff,vmarek,staff,2295,3108723863,5096 202240 10.0.2.2
2677N/A> path,/var/share/audit
2677N/A> path,/usr/sbin/auditreduce
2677N/A> cmd,argcnt,1,20140327103420.not_terminated.S12-43,envcnt,0,
2677N/A> return,success,0
2677N/A> file,2014-03-27 10:34:23.000 +00:00,
2677N/A
2677N/A%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
2677N/A
2677N/A# PAM credentials
2677N/A
2677N/A# Make sure that 'root' is a role
2677N/Asudo usermod -K type=role root
2677N/A
7299N/A# Note the preselection mask, it should probably be 'sstore(0x200031000,0x200031000)'
2677N/Asudo bash -c 'auditconfig -getpinfo $$'
2677N/A
2677N/A# Add audit flags to root
7299N/Asudo rolemod -K audit_flags=ex:no root
2677N/A
2677N/A# Make sure that the preselection mask now shows new entries (lo,ex)
2677N/Asudo bash -c 'auditconfig -getpinfo $$'
2677N/A
2677N/A# Disable PAM credentials in sudo by adding this line to sudoers:
2677N/ADefaults !pam_setcred
2677N/A
2677N/A# Make sure that the preselection mask now shows only previous entry
2677N/Asudo bash -c 'auditconfig -getpinfo $$'
2677N/A
2677N/A%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
2677N/A
2677N/A# Solaris privileges
2677N/A
2677N/A# Add this to the end sudoers keeping the 'ALL ALL=(ALL:ALL) NOPASSWD: ALL' above
2677N/A<UID> ALL = () PRIVS="basic,dtrace_kernel,dtrace_proc,dtrace_user" NOPASSWD: /usr/sbin/dtrace, /usr/bin/bash
2677N/A
2677N/A# Just your regular id
2677N/Aid
2677N/A> uid=157888(vmarek) gid=10(staff)
2677N/A
2677N/A# Sudo normally turning you into root via the 'ALL ALL=(ALL:ALL) NOPASSWD: ALL' line
2677N/Asudo id
2677N/A> uid=0(root) gid=0(root)
2677N/A
2677N/A# For bash it should leave your ID and just grant dtrace privileges
2677N/Asudo bash -c 'id; ppriv $$'
2677N/Auid=157888(vmarek) gid=10(staff)
2677N/A> 2296: bash -c id; ppriv $$
2677N/A> flags = <none>
2677N/A> E: basic,dtrace_kernel,dtrace_proc,dtrace_user
2677N/A> I: basic,dtrace_kernel,dtrace_proc,dtrace_user
2677N/A> P: basic,dtrace_kernel,dtrace_proc,dtrace_user
2677N/A> L: basic,dtrace_kernel,dtrace_proc,dtrace_user
2677N/A
2677N/A# dtrace functionality
2677N/Asudo dtrace -l -n 'syscall::b*:entry'
2677N/A> ID PROVIDER MODULE FUNCTION NAME
2677N/A> 11282 syscall brk entry
2677N/A> 11550 syscall brandsys entry
2677N/A> 11642 syscall bind entry
5495N/A
5495N/A%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
5495N/A
5495N/A# Test noexec
5495N/A
5495N/A# Verify the following works
5495N/A
7299N/A$ sudo /usr/perl5/5.22/bin/perl -e 'print "before\n"; system("id -a"); print "after\n"'
5495N/Abefore
5495N/Auid=0(root) gid=0(root) groups=0(root),1(other),2(bin),3(sys),4(adm),6(mail),7(tty),8(lp),12(daemon)
5495N/Aafter
5495N/A
5495N/A# Add the following to sudoers
5495N/A
7299N/AALL ALL = NOPASSWD: NOEXEC: /usr/perl5/5.22/bin/perl
5495N/A
5495N/A# Now Perl should be prevent to run further commands, so the output is
5495N/A
7299N/A$ sudo /usr/perl5/5.22/bin/perl -e 'print "before\n"; system("id -a"); print "after\n"'
5495N/Abefore
5495N/Aafter
5495N/A
5495N/A# Perl itself works as expected
5495N/A
7299N/A$ /usr/perl5/5.22/bin/perl -e 'print "before\n"; system("id -a"); print "after\n"'
5495N/Abefore
5495N/Auid=101(rimmer) gid=10(staff) groups=10(staff)
5495N/Aafter
7299N/A
7299N/A%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
7299N/A
7299N/A# Verify that "Last login..." message does not appear
7299N/A
7299N/A$ sudo /bin/date
7299N/AThu Nov 10 08:24:57 UTC 2016