2677N/A%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
2677N/A# Open second terminal with root shell. Keep this as a possibility to assume
2677N/A# root privileges if you loose the ability to do so via sudo during testing.
2677N/A%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
2677N/A# Make sure we are looking at the correct version
2677N/A%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
2677N/A# Add this line to sudoers (replace UID by your user ID and HASH by the ls
2677N/A# This should work (asking you a password first)
2677N/A# Now change the hash so that it is wrong and make sure it does not work this
2677N/A%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
2677N/AALL ALL=(ALL:ALL) NOPASSWD: ALL
2677N/A# Make sure it gives you root account
2677N/A# Make sure this changes just your group
2677N/A%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
2677N/A# Test creating a file in etc
2677N/A%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
2677N/Asudo auditreduce * | praudit -s
2677N/A> file,1970-01-01 00:00:00.000 +00:00,
2677N/A> file,2014-03-27 10:34:23.000 +00:00,
2677N/A# Make sure that since the first run we can see new auditing record
2677N/Asudo auditreduce * | praudit -s
2677N/A> file,2014-03-27 10:34:23.000 +00:00,
2677N/A> header,158,2,AUE_sudo,,10.0.2.15,2014-03-27 10:34:23.735 +00:00
2677N/A> subject,vmarek,root,staff,vmarek,staff,2295,3108723863,5096 202240 10.0.2.2
2677N/A> file,2014-03-27 10:34:23.000 +00:00,
2677N/A%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
2677N/A# Make sure that 'root' is a role
2677N/Asudo usermod -K type=role root
2677N/A# Note the preselection mask, it should probably be 'lo(0x1000,0x1000)'
2677N/Asudo bash -c 'auditconfig -getpinfo $$'
2677N/Asudo rolemod -K audit_flags=lo,ex:no root
2677N/A# Make sure that the preselection mask now shows new entries (lo,ex)
2677N/Asudo bash -c 'auditconfig -getpinfo $$'
2677N/A# Disable PAM credentials in sudo by adding this line to sudoers:
2677N/A# Make sure that the preselection mask now shows only previous entry
2677N/Asudo bash -c 'auditconfig -getpinfo $$'
2677N/A%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
2677N/A# Add this to the end sudoers keeping the 'ALL ALL=(ALL:ALL) NOPASSWD: ALL' above
2677N/A> uid=157888(vmarek) gid=10(staff)
2677N/A# Sudo normally turning you into root via the 'ALL ALL=(ALL:ALL) NOPASSWD: ALL' line
2677N/A# For bash it should leave your ID and just grant dtrace privileges
2677N/Auid=157888(vmarek) gid=10(staff)
2677N/A> 2296: bash -c id; ppriv $$
2677N/A> E: basic,dtrace_kernel,dtrace_proc,dtrace_user
2677N/A> I: basic,dtrace_kernel,dtrace_proc,dtrace_user
2677N/A> P: basic,dtrace_kernel,dtrace_proc,dtrace_user
2677N/A> L: basic,dtrace_kernel,dtrace_proc,dtrace_user
2677N/Asudo dtrace -l -n 'syscall::b*:entry'
2677N/A> ID PROVIDER MODULE FUNCTION NAME
2677N/A> 11550 syscall brandsys entry