SUDO Configuration

Stuarty1874 · ‎09-16-2009

I need to configure SUDO to allow two sets of specific users to log-on to the Service Console.

They are ESX Server Administrator and ID Management.

I've got a handle on how I can allow the ESX Server Administrator access, but I'm unsure of how I give the minimum amounts of rights to the ID Administrator.

I'm thinking that the process I'd like to use for the ID Administrator is to only allow them to run a specific "UserAdd or UserRemove" bash script.

Can anyone offer any advice on how I should configure SUDO to allow the ID Administrator group to only run a specific script/scripts.

I'm looking to learn so I'll carry on doing some research in the meantime.

Any advice is much appreciated.

Thanks in advance.

Texiwill · ‎09-20-2009

Hello,

Moved to the Security Forum. THere are a couple of things you can do....

Defaults syslog=auth

Cmnd_Alias SHELLCMD=!/bin/sh,!/usr//sh,!/usr///sh

Cmnd_Alias SUDOERS=!/bin/* /etc/sudoers,!/usr/ /etc/sudoers,!/usr//* /etc/sudoers*

Cmnd_Alias SUCMD=!/bin/su,!/bin/* /bin/su,!/usr/ /bin/su,!/usr//* /bin/su*

Cmnd_Alias USERCMD=/usr/sbin/useradd,/usr/sbin/userdel,/usr/sbin/usermod

Cmnd_Alias NOUSERCMD=!/usr/sbin/useradd,!/usr/sbin/userdel,!/usr/sbin/usermod

%wheel ALL=/bin/,/usr/bin/,SHELLCMD,SUDOERS,SUCMD,NOUSERCMD

idmgmt ALL=USERCMD

You can easily add in capabilities to all idmgmt to manipulate group's as well. But these should work for you. Note, that we have disable su capability as well as the ability to edit sudoers for anyone in %wheel, mainly because su is not audited. You may need to allow visudo by someone to make the necessary changes.

Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

Stuarty1874 · ‎09-21-2009

Hi Ed, thanks for the response.

I've attached a copy of my SUDOERS file. I appreciate that there is a quite a lot in here but my organization is asking for a standard configuration across many platforms and we therefore need to include the aliases.

One of the things that "they" are asking for is for me to use the noexec parameter and I'm having a little difficulty making sure I comply. Can you offer me any advice? In the meantime I'll continue with my research.

Texiwill · ‎09-28-2009

Hello,

Considering that ESX 3.5 does not understand noexec that may be difficult. Not sure about vSphere but I have a feeling it does.... Run sudo -V | grep "dummy exec" to determine if the support is compiled in. Remember NOEXEC may or may not protect you, it depends on how programs were compiled or not. It is not a cure all but will protect against shell escapes from things such as VI. So if it is there, I would use it.

Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

mcrampton · ‎10-27-2009

Hi Texiwill, can you point me to any documentation indicating noexec will not work on ESX 3.5? We have a meeting today regarding this and some security exploits in Unix and Linux OS's which it is supposed to fix. If I can provide documentation that it's not supported in ESX 3.5 it will go a long way towards making my life easier. Thanks.

Texiwill · ‎10-27-2009

Hello,

On a stock 3.5 system the command 'sudo -V | grep "dummy exec"' returns a blank line. THis implies that noexec is not supported within this version of sudo. Also, if you do a 'man sudoers' you will also find no reference to NOEXEC. Remember, 3.5 SC is really RHEL3 U8 and a 2.4 kernel. It is a bit old....

If you modify the stock 3.5 system to add your own sudo, you can get the noexec feature. Not something I really do.

Instead I would investigate the use of the hytrust appliance, or use the VIC as much as possible. That way the issue does not come up much.

NOEXEC for example can be used to prevent calls to shells from within VI, the way I do this is NOT allow VI or any editor to be used. Instead you copy the files, modify them, then copy them back in. There are quite a few ways to get what you need from sudo.

Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

All

SUDO Configuration