matusmarhefka
commented
3 years ago @matejak Overall this looks good. I have tested with both configs (passwordless sudo and sudo with passowrd) and it behaves as expected.
Closed matejak closed 3 years ago
matusmarhefka
commented
3 years ago @matejak Overall this looks good. I have tested with both configs (passwordless sudo and sudo with passowrd) and it behaves as expected.
evgenyz
commented
3 years ago Isn't it a security breach - allow to run sudo oscap without a password? It could also execute remediations (which could be anything).
matejak
commented
3 years ago Isn't it a security breach - allow to run
sudo oscapwithout a password? It could also execute remediations (which could be anything).
I have thought of this as well. It is a much less of a risk than allowing root to perform those operations, but unfortunately we can't do more. So although it is not a regression, I see a missed opportunity to make scans safer.
Now what's the problem: sudo can restrict the command-line that it executes with superuser privileges. However, the sudoers file doesn't support regexes, so there is no way to tell to sudo that it should allow execution of any oscap xccdf eval command-line that doesn't include --remediate. Workbench supplies quite a lot of arguments to the remote program oscap, so one can't say that you expect oscap xccdf eval <datastream>. There is a report, oval results, and XCCDF/DS IDs passed along.
matusmarhefka
commented
3 years ago I have tested the latest changes and everything works as expected. I agree that passwordless sudo is not ideal, but it is still better than running under root. I will merge this if there are no objections from @evgenyz
evgenyz
commented
3 years ago No, I don't have any
oscap-ssh.sshcommand.This PR depends on #271 as it makes use of advanced message filtering.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1877522