February 11th, 2013 | Tags: , ,

In MySQL if you want to find out what columns are in a given table, you can describe the table and it will show you the columns and the data types associated with that column.  However if you need to do this for a large number of tables, it can get a bit repetitive.

Connect to MySQL

# mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 5.1.37 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

Show the Available Databases

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| TST               |
| mysql              |
| test               |
+--------------------+
4 rows in set (0.00 sec)

Use the TST Database

Our example lives on the TST database.

mysql> use TST;
Database changed

List All Tables on TST

mysql> show tables;
+-------------------+
| Tables_in_TST     |
+-------------------+
| customer          |
| product           |
+-------------------+
2 rows in set (0.00 sec)

Describe the Customer Table

mysql> describe customer;
+-------------+-----------------------+------+-----+---------+----------------+
| Field       | Type                  | Null | Key | Default | Extra          |
+-------------+-----------------------+------+-----+---------+----------------+
| customer_id | mediumint(8) unsigned | NO   | PRI | NULL    | auto_increment |
| first_name  | varchar(30)           | NO   |     | NULL    |                |
| last_name   | varchar(30)           | NO   |     | NULL    |                |
| email       | varchar(30)           | NO   |     | NULL    |                |
+-------------+-----------------------+------+-----+---------+----------------+
4 rows in set (0.01 sec)

Describe the Product Table

mysql> describe product;
+--------------+--------------+------+-----+---------+-------+
| Field        | Type         | Null | Key | Default | Extra |
+--------------+--------------+------+-----+---------+-------+
| product_id   | mediumint(8) | YES  |     | NULL    |       |
| product_name | varchar(100) | YES  |     | NULL    |       |
+--------------+--------------+------+-----+---------+-------+
2 rows in set (0.00 sec)

Now just wash rinse and repeat for all tables…  OR

The Easy Way

No sense in killing ourselves.  Lets use a tool that does the heavy lifting for us.

# mysqldump --no-data TST -u root
-- MySQL dump 10.13  Distrib 5.1.37, for pc-solaris2.11 (i386)
--
-- Host: localhost    Database: TST
-- ------------------------------------------------------
-- Server version       5.1.37

/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;

--
-- Table structure for table `customer`
--

DROP TABLE IF EXISTS `customer`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `customer` (
`customer_id` mediumint(8) unsigned NOT NULL AUTO_INCREMENT,
`first_name` varchar(30) NOT NULL,
`last_name` varchar(30) NOT NULL,
`email` varchar(30) NOT NULL,
PRIMARY KEY (`customer_id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;

--
-- Table structure for table `product`
--

DROP TABLE IF EXISTS `product`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `product` (
`product_id` mediumint(8) DEFAULT NULL,
`product_name` varchar(100) DEFAULT NULL
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;

/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;

-- Dump completed on 2013-02-05 16:12:23

Now we can spend our time interpreting and understanding the output instead of trying to recurse through every table in the database.

 

Comments Off
February 6th, 2013 | Tags: , , , , , ,

Today we are going over a script I wrote to utilize the ovmcli to rename all virtual disks to follow a understandable standard, in this case we will take the vmname and append a disk identifier to it.  The first disk (slot 0) will be appended with “_system.img” with all subsequent being appended with “_dataX.img” where X is the slot number.  This is a pretty simple script, but depending on the size of your environment it could take a significant amount of time to do a run in your environment due to the number of calls that you need to make to the OVM Manager.

I have built in a few parameters.  We need to provide the OVM 3.x Manager server name, additionally we can provide the port, and username.  Both of which have default values.  Additionally I have added a dry run parameter which will give you the chance to see what the output would be.  Finally there is a verbose parameter which is self explanatory.

Please keep in mind that in OVM 3.x vdisk names are simple metadata.  This doesn’t change any names on disk.  But this does help when you have taken the time to name your vdisks when creating the VMs but have had to re-manage a hypervisor, as in that scenario you end up being able to rediscover the VMs themselves, and their names, but the vdisks will come up as named their UUID.

Please keep in mind that this script will make multiple SSH connections to the ovmcli, as such you will want to use keys to streamline this authentication.  I have an article covering that here.

Name       : rename-vdisks.sh
Version   :  1.2.1
MD5        :  c1a0cf9935a4cdcfd12f3eda71bfdd5d
SHA256  :  bd96192e20e5371b0124eec1c8372c97dbf8469b2c5538400461b82d7f43f5e2
URL         :  http://source.allanglesit.net/pub/rename-vdisks.sh

#!/bin/bash
# chkconfig:
# description:
#
#: Script Name    : rename-vdisks.sh
#: Version    : 1.2.1
#: Author    : Matthew Mattoon - http://blog.allanglesit.com
#: Date Created    : January 26, 2013
#: Date Updated    : February 20, 2013
#: Description    : Renames all OVM 3.x virtual disks to a standard naming convention.
#: Examples    : rename-vdisks.sh -m OVMMANAGER -p PORT -u USER -v
#:         : rename-vdisks.sh -m ovmserver.localdomain -v

usage()
{
cat << EOF
usage: $0 options

This script allows you to rename all OVM 3.x virtual disks to follow a consistent standard.

Standard:    vmname_system.img (slot 0)
vmname_dataX.img (slot 1-x where X is the slot number)
vmname1_vmname2_dataX.img (where a disk is shared between 2 VMs)

OPTIONS:
-h    Show this message
-m    OVM 3.x Manager Server (required).
-p    OVM 3.x Manager Port (default: 10000).
-u    OVM 3.x Manager User (default: admin).
-d   Dry Run.  Script will make no changes, but instead provide the output of an actual run.
-v   Verbose flag.
EOF
}

while getopts "hm:pudv" OPTION
do
case $OPTION in
h) usage; exit 1;;
m) ovmmgr=$OPTARG;;
p) ovmport=$OPTARG;;
u) ovmuser=$OPTARG;;
d) dryrun=1;;
v) verbose=1;;
?) usage; exit 1;;
esac
done

if [[ -z $ovmmgr ]]
then
usage
exit 1
fi

echo ""

if [[ -z $ovmuser ]]
then
ovmuser=admin
echo "Using default OVM User [ $ovmuser ]"
fi

if [[ -z $ovmport ]]
then
ovmport=10000
echo "Using default OVM Port [ $ovmport ]"
fi

if [ "$dryrun" = "1" ]
then
echo "Using Dry Run Option"
fi

if [ "$verbose" = "1" ]
then
echo "Using Verbose Option"
fi

echo ""
echo ""
echo `sed -n 3p $0 | sed 's/#://'`
echo `sed -n 5p $0 | sed 's/#://'`
echo `sed -n 4p $0 | sed 's/#://'`
echo ""
echo ""

for i in `ssh -p $ovmport $ovmuser@$ovmmgr "list vmdiskmapping" | grep -v 'OVM>\|Command:\|Status:\|Time:\|Data:' | sed 's/  /:/g'`
do
id=`echo $i | cut -d ":" -f 3`
echo "Examining $id  "
read name id slot emdev vdisk vm <<<$(ssh -p $ovmport $ovmuser@$ovmmgr "show vmdiskmapping id=$id" | grep -v 'OVM>\|Command:\|Status:\|Time:\|Data:' | sed 's/Emulated Block Device/EmulatedBlockDevice/' | sed 's/Virtual Disk Id/VirtualDiskId/' | sed 's/Vm Id/VmId/' | sed 's/  //' | sed 's/ = /=/g' | sed 's/  \[/:\[/g')
name=`echo $name | cut -d = -f 2`
id=`echo $id | cut -d = -f 2`
slot=`echo $slot | cut -d = -f 2`
emdev=`echo $emdev | cut -d = -f 2`
vdiskid=`echo $vdisk | cut -d = -f 2 | cut -d ":" -f 1`
vdiskname=`echo $vdisk | cut -d = -f 2 | cut -d ":" -f 2 | sed 's/\[\|\]//g'`
vm=`echo $vm | cut -d = -f 2 | cut -d ":" -f 2 | sed 's/\[\|\]//g'`
if [ "$slot" != "0" ]
then
slotname=data"$slot".img
else
slotname=system.img
fi
newvdiskname="$vm"_"$slotname"

imginfo=( `ssh -p $ovmport $ovmuser@$ovmmgr "show virtualdisk id=$vdiskid" | grep -v 'OVM>\|Command:\|Status:\|Time:\|Data:' | sed 's/Max (GiB)/Max(GiB)/' | sed 's/Used (GiB)/Used(GiB)/' | sed 's/Repository Id/RepositoryId/' | sed 's/Vm /Vm/' | sed 's/  //' | sed 's/ = /=/g' | sed 's/  \[/:\[/g'` )
imgname=`printf "%s\n" "${imginfo[0]}" | cut -d = -f 2`
imgid=`printf "%s\n" "${imginfo[1]}" | cut -d = -f 2`
imgmaxsize=`printf "%s\n" "${imginfo[2]}" | cut -d = -f 2`
imgusedsize=`printf "%s\n" "${imginfo[3]}" | cut -d = -f 2`
imgshareable=`printf "%s\n" "${imginfo[4]}" | cut -d = -f 2`
imgrepoid=`printf "%s\n" "${imginfo[5]}" | cut -d = -f 2 | cut -d : -f 1`
imgreponame=`printf "%s\n" "${imginfo[5]}" | cut -d = -f 2 | cut -d : -f 2 | sed 's/\[\|\]//g'`
if [ "$verbose" = "1" ]
then
echo "  VM Name         :  $vm"
echo "  Disk Id         :  $vdiskid"
echo "  Disk Name       :  $vdiskname"
echo "  Slot Number     :  $slot"
echo "  Shareable       :  $imgshareable"
fi
if [ -n "$vdiskid" -o  "$vdiskid" != *".iso" ]
then
if [ "$imgshareable" = "Yes"  ]
then
for item in `printf "%s\n" "${imginfo[@]}" | grep Vm | cut -d : -f 2 | sed 's/\[\|\]//g'`
do
shareddiskvmnames+="$item"_
done
newvdiskname="${shareddiskvmnames}${slotname}"
unset shareddiskvmnames
fi
if [ "$vdiskname" != "$newvdiskname" ]
then
if [ "$verbose" = "1" ]
then
echo "  Disk Name       :  $vdiskname"
echo "  New Disk Name   :  $newvdiskname"
fi
echo "Renaming [ $vdiskname ] to follow Standard [ $newvdiskname ]  "
if [ "$dryrun" = "1" ]
then
echo ""
else
ssh -p $ovmport $ovmuser@$ovmmgr "edit virtualdisk id=$vdiskid name=$newvdiskname" | grep "Status:"
fi
echo ""
else
echo "Name [ $vdiskname ] follows Standard [ $newvdiskname ]"
echo ""
fi
else
echo "Virtual CDROM Detected.  Rename not Required."
echo ""
fi
done
Comments Off
February 4th, 2013 | Tags: , , , , , ,

So I have been working with the OVM CLI lately to try and fill in some holes in my knowledge and provide for some easily reproducible procedures, usually around consistency of the environment when performing frequent tear downs and upgrades.  So expect to see more OVM related scripts going forward.

Today we are going over a fairly simple script.  I like to use all lower case in my VM naming conventions.  So I wrote up a little script to check every name in the environment and then rename it if it is not already lower case.  Then once I completed this I decided to change it to be a toggle, so that those of you who prefer upper case would not feel left out.  Basically what we are doing, is simply performing a few calls to the ovmcli to collect the information necessary to make our changes.  Then we perform the changes via a separate call.  Prior to making the edit call, we compare the actual value with the requested value in order to see if it is already what we wanted.

I have built a few parameters into the script, we can select the case, upper or lower, we can also select the OVM 3.x Manager Server, and the username and port.  The username and port are built with default values of admin and 10000.

Please keep in mind that this script will make multiple SSH connections to the ovmcli, as such you will want to use keys to streamline this authentication.  I have an article covering that here.

Name       : changecase-vmname.sh
Version   :  1.0.1
MD5        :  5006c9ff20b3301e66ac503f417b98ee
SHA256  :  bfff98b74c54f1fec3ec540a22ca4b1377c9f4b25e0b90ddbb722eeb64bf6bc8
URL         :  http://source.allanglesit.net/pub/changecase-vmname.sh

#!/bin/bash
# chkconfig:
# description:
#
#: Script Name    : changecase-vmname.sh
#: Version    : 1.0
#: Author    : Matthew Mattoon - http://blog.allanglesit.com
#: Date Created    : January 26, 2013
#: Date Updated    : February 20, 2013
#: Description    : Changes case of all Oracle VM 3.x VMs to either upper or lower case.
#: Examples    : changecase-vmname.sh -c CASE -m OVMMANAGER -p PORT -u USER
#:         : changecase-vmname.sh -c lower -m ovmserver.localdomain

usage()
{
cat << EOF
usage: $0 options

This script allows you to change case on all OVM 3.x VMs to either uppercase or lowercase.

OPTIONS:
-h    Show this message
-c    The preferred case for all VMs (required). upper or lower
-m    OVM 3.x Manager Server (required).
-p    OVM 3.x Manager Port (default: 10000).
-u    OVM 3.x Manager User (default: admin).
EOF
}

while getopts "hc:m:pu" OPTION
do
case $OPTION in
h) usage; exit 1;;
c) case=$OPTARG;;
m) ovmmgr=$OPTARG;;
p) ovmport=$OPTARG;;
u) ovmuser=$OPTARG;;
?) usage; exit 1;;
esac
done

if [[ -z $case ]] || [[ -z $ovmmgr ]]
then
usage
exit 1
fi

if [ $case != "lower" -a $case != "l" -a $case != "upper" -a $case != "u" ]
then
usage
exit 1
fi

if [[ -z $ovmuser ]]
then
ovmuser=admin
fi

if [[ -z $ovmport ]]
then
ovmport=10000
fi

if [ $case = "lower" -o $case = "l" ]
then
trcase="'[:upper:]' '[:lower:]'"
fi

if [ $case = "upper" -o $case = "u" ]
then
trcase="'[:lower:]' '[:upper:]'"
fi

for i in `ssh -p $ovmport $ovmuser@$ovmmgr "list vm" | grep -v 'OVM>\|Command:\|Status:\|Time:\|Data:' | sed 's/  /:/g'`
do
id=`echo $i | cut -d ":" -f 3`
echo -n "Examining $id...  "
vmname=`ssh -p $ovmport $ovmuser@$ovmmgr "show vm id=$id" | grep -v 'OVM>\|Command:\|Status:\|Time:\|Data:' | grep "Name" | sed 's/ = /=/' | cut -d = -f 2`
newvmname=`echo $vmname | tr $trcase`
if [ $vmname != $newvmname ]
then
echo "Renaming $vmname to $newvmname"
ssh -p $ovmport $ovmuser@$ovmmgr edit vm id=$id name="$newvmname" | grep "Status:"
else
echo "Rename not required"
fi
done
Comments Off

In Part One we went over the basics of sudo, what it is, why we use it, and how it is used properly.  In this article we are going to take it a step further and look at specific use cases for sudo.  The key thing to remember though, is that you have two ways you can use sudo, 1) to allow for program execution as root, a white-list  2) to restrict program execution as root, a black-list.  If you are doing the later there is no definitive way to restrict a program execution, so you should only use the latter with administrators who are trusted completely (the same users who would have access to the root password).

Allow A Specific Command Execution as Root (The Real Sudo)

This first policy example is what sudo is for.  This is where you want individuals to perform a specific action as root (for example restart a service which is known to be flaky instead of calling you at 2AM).  These commands can be specific down to parameters and everything.  Of course once the sudo policy is in place you could even go a step further and create aliases in their user profile so that they can execute simpler commands.  For example “/etc/init.d/network restart” can be aliased to “internet-reboot” or something equally simple/ridiculous.

# cat /etc/sudoers
# Specific Command Execution
Defaults logfile=/var/log/sudo.log
User_Alias ROOTCOMMAND = user1, user2
Cmnd_Alias REBOOT = /sbin/reboot
Cmnd_Alias SERVICE = /etc/init.d/network restart
ROOTCOMMAND ALL=NOPASSWD: REBOOT, SERVICE

One other small thing I did in this example.  Since this has a VERY restrictive policy and we are only allowing to possible commands to be run I have removed the password requirement. I do not allow this on a wider policy.  This comes back to the saying:

Quick, Easy, Secure – pick two.

Allow Root Access with Some Disallowances

This policy is a much safer policy for individuals who are not fully trusted, for example Junior Sys Admins.  This policy closes most of the holes which would allow them to inadvertently or intentionally lock out other individuals from the machine, the key difference between this and the above policy is that it requires all commands be executed via sudo, instead of being able to spawn a shell as root, and bypass the logging.

# cat /etc/sudoers
# Root with Restrictions
Defaults logfile=/var/log/sudo.log
User_Alias ROOTRESTRICTED = user1, user2
Cmnd_Alias SHELLS = /bin/sh, /bin/bash, /bin/ash, /bin/bsh, /bin/tcsh, /bin/csh, /bin/ksh, /bin/ksh93
Cmnd_Alias SU = /bin/su, /usr/bin/vncserver
Cmnd_Alias PASSWD = /bin/passwd, /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod
Cmnd_Alias VISUDO = /usr/sbin/visudo
ROOTRESTRICTED ALL = ALL, !SHELLS, !SU, !PASSWD, !VISUDO

Allow Unrestricted Root Access

This is the basics of a policy that I use on my workstations.  This also fits very well on servers where you have a requirement to not login to the root account except in an emergency.

This policy has NO restrictions on it.  As such the only people whom you will want to grant this policy to are the same folks you would provide your root password to.  This policy also allows the direct invocation of a shell as root, which gives you a root shell, which after that nothing is logged in the sudo.log.

# cat /etc/sudoers
# Root Equivalent
Defaults logfile=/var/log/sudo.log
User_Alias ROOTEQUIVALENT = user1, user2
ROOTRESTRICTED ALL = ALL

Switch Users Using Sudo

Here is another little tidbit I like to use on systems which require multiple system accounts to run multiple applications.  Instead of having to track and know each user and password combination (or having someone else have to do the same) I like to enable users to use sudo to invoke su to switch to the specific user.  This of course means that they will not be prompted to enter a password for the user that they are logging into but they will be logging that entry into sudo.

# cat /etc/sudoers
# Switch User Without Additional Password Management
Defaults logfile=/var/log/sudo.log
User_Alias TSTEBSUSER = bob, bill
Cmnd_Alias SUTSTEBS = /bin/su tstebs, /bin/su - tstebs
TSTEBSUSER ALL = SUTSTEBS
User_Alias TSTWLSUSER = bob, mark, jon
Cmnd_Alias SUTSTWLS = /bin/su tstebs, /bin/su - tstebs
TSTWLSUSER ALL = SUTSTWLS

Above we can see that we have two environments to be managed our TSTWLS and our TSTEBS environment.  Each of these environments is executed and managed using the tstwls and tstebs users respectively.  We can also see that according to the policy we have a user named bob with access to both environments.  The TSTEBS environment also has a user named bill who has access to the environment.  While on TSTWLS we additionally have mark, and jon who have access to the environment.

These are the most common use cases I have run into for using sudo.  There are many more policy restrictions (noexec – disallow the execution of scripts) which are detailed in the man pages for sudo.

Comments Off

What is Sudo?

Prior to sudo whenever you wanted to run a command as a specific user then you would su (switch user) to gain access to a shell for that user.  This of course required that you knew the password for that user, and it would spawn a new shell after successful authentication.  The major drawback to this was that in order to allow a user to do something, you had to allow the user to do anything.  This sort of configuration also makes it fairly trivial for an authorized user to perform unauthorized actions, such as changing the root password and locking everyone out.

Basically sudo is a setuid binary which allows any user to invoke it as root.  Here is where it starts to get a bit tricky.  Any user can invoke sudo as root.  However that doesn’t mean that any user can invoke anything with sudo as root.  Sudo itself is invoked as root, and then the policy processing begins and sudo determines if it is going to do what you are requesting (if it is in policy).

Remember Su-Do

If you remember nothing else about sudo (as a user) then remember this.  Sudo allows you to “su and do” without having to “su and do”.  This of course means that the below actions are identical in terms of executing the action.

$ su -
Password:
# whoami
root
$ sudo whoami
[sudo] password for oracle:
root

The only real difference in the above is the password that we enter.  In the first example we need to enter the root password.  In the second we enter the password of the user we are logged in as.

Sudo Usage

A great example to illustrate the functionality of sudo is the simple “id” this command simply lists your security contexts.  When we execute id

$ id
uid=1000(matthew) gid=1000(matthew) groups=1000(matthew),10(wheel),18(dialout),1001(vboxusers)

Above we can see that we are logged in with the user matthew with the uid of 1000.  You also see the groups that I am a member of.

$ sudo id
[sudo] password for matthew:
uid=0(root) gid=0(root) groups=0(root)

Now when we insert sudo in front of the id command we notice that it prompts for a password, specifically the password of the user invoking sudo (in this case matthew).  After successful authentication then we see that we actually get the id information for the root user.

There is another major way that sudo can be used.  And that is to achieve a root shell.

$ sudo -s
[sudo] password for matthew:
#

Above we see that we now have a persistent root shell.  The big takeaway from this usage is that you lose all of your sudo logging.  The only thing that is logged is the execution of the shell (this will be the users shell defined in the /etc/passwd – usually /bin/bash).

# more /var/log/sudo.log
Jan 22 16:04:09 : matthew : TTY=pts/8 ; PWD=/home/matthew ; USER=root ;
COMMAND=/bin/bash

Sudo Logging

One of the biggest benefits of sudo is the ability to log what individuals are doing on a system, and thus having the ability to forensically resolve problems based on the actions that were taken just prior to the problem.  Here is an example of what the output looks like.

# more /var/log/sudo.log
Jan 22 13:25:13 : user1 : TTY=pts/0 ; PWD=/home/user1 ; USER=root ;
COMMAND=/etc/init.d/network restart
Jan 22 13:25:34 : user1 : command not allowed ; TTY=pts/0 ; PWD=/home/user1 ;
USER=root ; COMMAND=/etc/init.d/network status

Now we can see that we have a successful execution of /etc/init.d/network restart on line 1.  This took place at Jan 22 13:25:13 local time.  We also know that it was invoked by the oracle user, while the oracle user was standing in /home/oracle (this is important for anything executed using a relative path).  We also then see the user that the command is executed as (which in this case is root).

The second entry we have is an attempt by the oracle user to execute /etc/init.d/network status.  This was denied because it is outside the allowance of the sudo policy.

List Effective Sudo Policy

You won’t always be in an environment where you will be able to push for changes to your sudo policies, however it doesn’t mean that you can’t look at the effective ruleset to see what you have in effect.  To list the policies as they are in effect against your user.

$ sudo -l
Matching Defaults entries for matthew on this host:
requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, logfile=/var/log/sudo.log

User matthew may run the following commands on this host:
(ALL) ALL

If you are building policies and you want to test the effective policies for a specific user.  You can invoke it like so to list the effective policy.

# sudo -U matthew -l
Matching Defaults entries for matthew on this host:
requiretty, !visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC
KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
logfile=/var/log/sudo.log

Runas and Command-specific defaults for matthew:

User matthew may run the following commands on this host:
(root) ALL, (root) !/bin/sh, !/bin/bash, !/bin/bash2, !/bin/ash, !/bin/bsh,
!/bin/tcsh, !/bin/csh, !/bin/ksh, !/bin/ksh93, (root) !/bin/su, !/usr/bin/vncserver,
(root) !/bin/passwd, !/usr/sbin/useradd, !/usr/sbin/userdel, !/usr/sbin/usermod,
(root) !/usr/sbin/visudo

That wraps up Part One.  In Part Two we will look at specific policy examples and how they would be used.

Comments Off
Page 4 of 25« First...23456...1020...Last »
TOP