-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
PRODENG-2744 Tooling scripts to test whitelising of shell commands
- Loading branch information
Showing
2 changed files
with
129 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| # How to use this script: | ||
| # 1. Modify the value of SSH_FLAGS to have the right ssh key path | ||
| # 2. Take copy of the sudoers file and name it as 50-launchpad(Or anything suitable so that it does not override the existing sudoers files) | ||
| # 3. Make the changes you want to test in the copy of the sudoers file and run this script. | ||
|
|
||
|
|
||
| HOSTS="$(yq -r ".spec.hosts[].ssh.address" ./launchpad.yaml)" | ||
|
|
||
| SSH_USER=rocky | ||
| SSH_FLAGS="-i examples/tf-aws/launchpad/ssh-keys/jn-PRODENG-2744-common.pem -o StrictHostKeyChecking=no" | ||
|
|
||
| # --- helpers --- | ||
|
|
||
| ssh() { | ||
| local host=$1 | ||
| shift; | ||
| local run=$@ | ||
|
|
||
| echo "ssh $SSH_FLAGS $SSH_USER@$host -- $run" | ||
| #ssh $SSH_FLAGS $USER@$host -- "$run" | ||
| } | ||
|
|
||
| scp() { | ||
| local host=$1 | ||
| shift; | ||
| local file=$@ | ||
|
|
||
| echo "scp $SSH_FLAGS $file $SSH_USER@$host:~/$file" | ||
| #scp $SSH_FLAGS $USER@$host $file $file | ||
| } | ||
|
|
||
| # --- handlers ___ | ||
|
|
||
| sudo_prepareuser() { | ||
| host=$1 | ||
|
|
||
| ssh $host "sudo useradd launchpad" | ||
| ssh $host "sudo cp -R /home/rocky/.ssh /home/launchpad/" | ||
| ssh $host "sudo chown -R launchpad:launchpad /home/launchpad" | ||
| } | ||
|
|
||
| sudo_sudowhitelist() { | ||
| host=$1 | ||
|
|
||
| scp $host 50-launchpad | ||
| ssh $host "sudo chown root:root ./50-launchpad" | ||
| ssh $host "sudo mv ./50-launchpad /etc/sudoers.d/" | ||
| } | ||
|
|
||
| # --- fix all hosts --- | ||
|
|
||
| set +x | ||
|
|
||
| for host in $HOSTS | ||
| do | ||
| #echo "#-- HOST: $host" | ||
| ssh $host whoami | ||
|
|
||
| sudo_prepareuser $host | ||
| sudo_sudowhitelist $host | ||
| done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,68 @@ | ||
| User_Alias CANLAUNCHPAD = launchpad | ||
|
|
||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /bin/ps | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/docker * | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm -f -- launchpad.test | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm -f -- /etc/docker/* | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm -f -- /home/launchpad/installerLinux* | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm -f -- /tmp/installerLinux* | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/sbin/getenforce * | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rpm -qa | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/cat * | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/stat * | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl * docker * | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/netstat | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/journalctl | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl stop docker | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl start docker | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl restart docker | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl status | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl stop containerd | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl start containerd | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl cat * | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/cat /etc/docker/daemon.json | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm -rvf /var/run/docker.sock | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm /app/docker/swarm/worker/tasks.db | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/ip link del docker_gwbridge | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/ip link del docker0 | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/sysctl -w net.ipv4.conf.all.rp_filter=1 | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/vi /etc/sysctl.d/99-app.conf | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/vi /etc/docker/daemon.json | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/pkill -9 containerd-shim | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/df | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/lsof | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/ulimit -a | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/strace | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/docker * | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl stop appitrs | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl start appitrs | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm -f -- /etc/docker/daemon.json * | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm -f -- launchpad.test * | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/sbin/getenforce * | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/yum install -y * | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/cat * | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/sh -c 'yum-config-manager *' | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/sh -c 'rpm -qa *' | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/sh -c 'echo *' | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/sh -c 'yum install *' | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/stat * | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl * docker * | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/systemctl enable docker | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/docker version | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/install * | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/rm -f -- /tmp/launchpad/installerLinux* | ||
| CANLAUNCHPAD ALL = (root) NOPASSWD: /usr/bin/mkdir -p -- /tmp/launchpad | ||
|
|
||
|
|
||
| User_Alias CANINSTALLMCR = launchpad | ||
|
|
||
| CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/rpm -qa | ||
| CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/yum install * | ||
| CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/yum list * | ||
| CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/tee /etc/yum/vars/dockerurl | ||
| CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/tee /etc/yum/vars/dockerosversion | ||
| CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/yum-config-manager --add-repo * | ||
| CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/yum-config-manager --disable docker-ee-* | ||
| CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/yum-config-manager --enable docker-ee-* | ||
| CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/yum upgrade * | ||
| CANINSTALLMCR ALL = (root) NOPASSWD:SETENV: /usr/bin/yum downgrade * |