Closed matejak closed 3 years ago
@matejak Overall this looks good. I have tested with both configs (passwordless sudo and sudo with passowrd) and it behaves as expected.
Isn't it a security breach - allow to run sudo oscap
without a password? It could also execute remediations (which could be anything).
Isn't it a security breach - allow to run
sudo oscap
without a password? It could also execute remediations (which could be anything).
I have thought of this as well. It is a much less of a risk than allowing root to perform those operations, but unfortunately we can't do more. So although it is not a regression, I see a missed opportunity to make scans safer.
Now what's the problem: sudo
can restrict the command-line that it executes with superuser privileges. However, the sudoers file doesn't support regexes, so there is no way to tell to sudo
that it should allow execution of any oscap xccdf eval
command-line that doesn't include --remediate
. Workbench supplies quite a lot of arguments to the remote program oscap, so one can't say that you expect oscap xccdf eval <datastream>
. There is a report, oval results, and XCCDF/DS IDs passed along.
I have tested the latest changes and everything works as expected. I agree that passwordless sudo is not ideal, but it is still better than running under root. I will merge this if there are no objections from @evgenyz
No, I don't have any
oscap-ssh
.ssh
command.This PR depends on #271 as it makes use of advanced message filtering.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1877522