search

OpenSCAP / openscap-daemon

Manages continuous scans of your infrastructure
https://www.open-scap.org/tools/openscap-daemon
GNU Lesser General Public License v2.1
106 stars 32 forks source link

Ability to run remote ssh scans with sudo privileges #84

Closed mvazquezc closed 8 years ago

mvazquezc commented 8 years ago

I've been testing and it works fine on newer versions of openscap (those which includes --sudo option).

Adding --sudo to the evaluation args works fine, but we need all the program logic to decide whether to add --sudo to the args or not. And probably we need to store a flag to tell daemon when to run scans with sudo privileges.

ret.extend([config.oscap_ssh_path, '--sudo', host, str(port)])

Destination's machine mustn't require TTY to run sudo (scan fails if sudo requires a tty):

/etc/sudoers: Defaults requiretty -> #Defaults requiretty OR Defaults: !requiretty

It would be a "nice to have" feature whether allow users to run scans with sudo privileges or without them.

mpreisler commented 8 years ago

We could do it cleanly by adding ssh+sudo:// to the target URI schemes.

mvazquezc commented 8 years ago

You're right. I'm going to give it a try tomorrow. I'll PR changes. Thank you!

mpreisler commented 8 years ago

Implemented in #85.