What commands to allow with sudo

When I want to do a credentialed can with a normal user, but I want to restrict sudo. What commands do I need to allow in the sudoers files?

I can’t see that clearly in here:
https://docs.rapid7.com/insightvm/authentication-on-unix-and-related-targets-best-practices/

Hi,

Unfortunately there is no exact list of all the commands to allow as these will change regularly over time as better ways to get information are found or old ways of gathering information are deprecated or changed.

It can be useful at times if you discover issues with permissions to run the desired scan you are looking for with enhanced scan logs enabled and review those sets of logs for failing commands. The ACES log files specifically can help. You can find information about enhanced scan logs at the following link:
https://docs.rapid7.com/insightvm/troubleshooting/#troubleshooting-scan-accuracy-issues-with-logs

The aces logs will contain sections with a format displaying the command ran such as

<ace:command>freebsd-version</ace:command>

The response received from the command is usually shown below it as follows:

<ace:stdout>10.0-RELEASE
</ace:stdout>

The returns should display any permissions messages etc.

Finally it is worth noting as well that if you are scanning with an engine, it will use a non-interactive shell when running commands similar to if you ran a command from your terminal against another using the following format:

ssh <user>@<hostname> date

The main difference between interactive shells and the way the scan engine connects will be things such as profiles and environment variables such as path etc which may be different for you once logged into an interactive session versus the non-interactive session a scan engine uses. This can often cause confusion when you are able to login and run a command but the scan engine fails when running the command. If you test it using the format shown above with the user account you are scanning with it should be a reliable way to test if the scan engine would be able to run the command.

2 Likes

This is helpful! Thank you!

1 Like