Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecate prepare subcommand to minimize the root authority defined by /etc/sudoers #375

Merged
merged 2 commits into from
Mar 13, 2017
Merged

Deprecate prepare subcommand to minimize the root authority defined by /etc/sudoers #375

merged 2 commits into from
Mar 13, 2017

Conversation

kotakanbe
Copy link
Member

@kotakanbe kotakanbe commented Mar 7, 2017
edited
Loading

Note: Support of centos 5 has ended, so please do not update Vuls if you are using CentOS 5.

Dependent packages can be easily installed manually, Ansible, etc.

I want to minimize the root authority defined by /etc/sudoers, but the content of /etc/sudoers differs between prepare and scan.

For security reasons, I do not want to define allow yum install in /etc/sudoers.
If Vuls user need to change /etc/sudoers after executing prepare, setup becomes complicated.

Modify configtest subcommand.
In configtest subcommand, check the following

  • Check if dependencies are installed
  • Confirm whether the command issued by scan can be executed normally

TODO List

  • Remove prepare subcomamnd
  • Check tightly with configtest subcommand
  • #README

configtest Subcommand

  • Check if dependencies are installed
  • Check if dependencies available
  • Check sudo permissions

Dependency Packages

Distribution Release Requirements
Ubuntu 12, 14, 16 -
Debian 7, 8 aptitude
CentOS 6, 7 yum-plugin-changelog
Amazon All -
RHEL 5 yum-security
RHEL 6, 7 -
FreeBSD 10 -
Raspbian Wheezy, Jessie -

Minimize root authority

  • CentOS
vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --changelog --assumeno update *
Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
  • RHEL 5
vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --color=never repolist, /usr/bin/yum --color=never list-security --security, /usr/bin/yum --color=never check-update, /usr/bin/yum --color=never info-security
Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
  • RHEL 6, 7
vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --color=never repolist, /usr/bin/yum --color=never --security updateinfo list updates, /usr/bin/yum --color=never check-update, /usr/bin/yum --color=never --security updateinfo updates
Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
  • Amazon Linux
  • Debian
vuls ALL=(ALL) NOPASSWD: /usr/bin/apt-get update
Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
  • Ubuntu/Raspbian
vuls ALL=(ALL) NOPASSWD: /usr/bin/apt-get update
Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
  • FreeBSD

test

Distribution /sudoers OS
Ubuntu OK 12, 14, 16
Debian OK 7, 8
CentOS OK 6, 7
Amazon OK All
RHEL OK 5
RHEL OK 6, 7
FreeBSD 10
Raspbian Jessie

What did you implement:

Closes #365

How did you implement it:

How can we verify it:

Todos:

You don't have to satisfy all of the following.

  • Write tests
  • Write documentation
  • Check that there aren't other open pull requests for the same issue/feature
  • Format your source code by make fmt
  • Pass the test by make test
  • Provide verification config / commands
  • Enable "Allow edits from maintainers" for this PR
  • Update the messages below

Is this ready for review?: NO
Is it a breaking change?: YES

@kotakanbe kotakanbe added this to the v0.3.0 milestone Mar 7, 2017
@kotakanbe kotakanbe changed the title [WIP]Deprecate prepare subcommand to minimize the root authority defined b… [WIP]Deprecate prepare subcommand to minimize the root authority defined by /etc/sudoers Mar 8, 2017
@kotakanbe kotakanbe force-pushed the deprecate-prepare branch 3 times, most recently from 130c7d0 to 6952a10 Compare March 13, 2017 01:20
kotakanbe added a commit that referenced this pull request Mar 13, 2017
@kotakanbe
Deprecate prepare subcommand to minimize the root authority #375
6952a10
@kotakanbe kotakanbe changed the title [WIP]Deprecate prepare subcommand to minimize the root authority defined by /etc/sudoers Deprecate prepare subcommand to minimize the root authority defined by /etc/sudoers Mar 13, 2017
@kotakanbe kotakanbe merged commit a5c4c68 into master Mar 13, 2017
This was referenced Mar 13, 2017
Merged
Closed
Closed
@kotakanbe kotakanbe deleted the deprecate-prepare branch March 16, 2017 15:02
@kotakanbe kotakanbe mentioned this pull request Mar 21, 2017
Closed
lapthorn pushed a commit to lapthorn/vuls that referenced this pull request May 11, 2017
@kotakanbe
Deprecate prepare subcommand to minimize the root authority future-ar…
cca6ac1 
…chitect#375
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Breaking Changes enhancement
Projects
None yet
Milestone
v0.3.0
Development

Successfully merging this pull request may close these issues.
1 participant
@kotakanbe