[RFE] Add ability to run system scan / system remediation under sudo

[iankko]

Description of problem:

The STIG profile in SSG content contains the following rule "Disable SSH Root Login":     [1] https://fedorapeople.org/~jlieskov/rhel6-guide.html#item-sshd_disable_root_login

The purpose of this rule is to check if root login via SSH service is disabled. The issue appears when remediation for / against the STIG profile for remote systems is performed. Namely the remediation script configures the sshd service on the remote machine not to allow / permit root logins via SSH. Though the remediation script by itself does not forcibly restart the sshd daemon (thus the immediate SSH connection is not affected by this configuration change), it is possible that after restart of a remote computer in question it will not be accessible remotely via root user account (therefore an access to it might get lost in the case when this is a machine not having unprivileged users).

Therefore the suggestion is to enhance the SCAP-Workbench tool to add support / ability to run the remediation scripts under sudo mechanism -- the user in question would launch SCAP-Workbench under the unprivileged user account on the remote machine (after corresponding authentication), and subsequently run everything (system scan && possible remediation scripts) under the sudo mechanism to prevent the current situation.

Thank you for considering of this change.

Jan.

[c6p0]

Hi, when this feature will be available ? Indeed for time being scanning with workbench still requires a root user for some checks. For sample it would be nice the --sudo to be processed in the User and host field

[matejak]

AFAIK, scap-workbench uses pkexec for the same purpose as it would use sudo. It doesn't require you to run is as root. Could you please give some background to your request?

[merbekano]

many of the evaluations for DISA content require root access, as the files that are being inspected are root only owned. These should up in the overall report as "errors". For example all the auditing checks error out as the audit file is a root only owned file.

[jan-cerny]

@merbekano SCAP Workbench should ask you for your password if you run it as normal user and you click on "Scan" button. See this screenshot.

If this is not happening for you, then you have probably found a bug. Is your user account allowed to get root privileges ? Which version of SCAP Workbench do you use?

[merbekano]

@jan-cerny. I am speaking specifically to "remote" execution of the scap content. I am using Windows version 1.1.5 to remote into hosts to run a DISA baseline. The user account used has full sudo privileges. Since it appears no sudo escalation is performed for the non-privileged account, the scan results are erroneous for any checks that require root access. I am certainly prompted for the password to the non-privileged account that is able to SSH into the remote server. I am not presented any prompt for a root password on the remote machine, only the non-privileged account.

[twright-0x1]

I agree: when one is executing checks remotely, this would be a very useful feature (i.e., to 'sudo' to an account with appropriate privileges). As already noted, some checks will error without root privileges.

[cipherboy]

Per discussion on #openscap today I believe the core premise of this to be resolved: https://github.com/OpenSCAP/scap-workbench/pull/270/

However, this issue also discusses remediation which, from PR's description, wasn't added.

So I'm leaving this open but commenting that scanning seems to work with passwordless sudo.