Using sudo and dzdo for Root Delegation

You can choose the root delegation tools such as sudo and dzdo when configuring a Unix authentication record. Root delegation allows the user account provided in the Unix authentication record to execute commands with root access on the hosts to be scanned.

sudo

What credentials should I use?

This depends on the type of scanning you plan to do. We recommend you review what credentials are needed for scanning.

How does root delegation work?

When Sudo is properly configured within a Unix record, Unix authentication to hosts in the record works like this 1) we'll authenticate to the hosts using the login credentials provided in the record (user name and password, RSA key or DSA key), 2) we'll execute the command "sudo su -" to obtain root authority, and 3) we'll perform commands with root authority and complete the scan.

Do I need to get Sudo?

Sudo may already be installed on your Unix system since it is included in many distributions by default. Sudo is not a standard part of all Unix distributions so you may need to install it. You can download it from http://www.sudo.ws.

How do I configure the "sudoers" file?

Add /bin/su to the sudoers file to allow the user to execute /bin/su in order to gain elevated privileges. One method for setting this up in your sudoers file is to create a command alias for the /bin/su command and then grant the privilege to run this command to the user account.

In the example below, "scanuser" is the account user name you supply in the Unix authentication record:

# Cmnd alias specification

Cmnd_Alias SU=/bin/su

# User privilege specification

root ALL=(ALL) ALL

scanuser ALL=SU

Using the NOPASSWD option

Note it is recommended that you use the NOPASSWD option (in your sudoers file) to avoid unnecessary exposure of the password. If the NOPASSWD option is enabled you must still provide valid login credentials in the Unix authentication record for the initial authentication.

Keep in mind if NOPASSWD option is Not Enabled (in your sudoers file), then you must include the password in the Unix authentication record login credentials section.

Still have questions?

Please refer to your sudoers documentation for information on proper configuration.

dzdo

Similar to sudo, dzdo is another tool supported for root delegation. It runs a single command using a privileged account without knowing the privileged account's password. Instead of using the sudoers file, dzdo uses role-based access rights for zones stored in Active Directory.

To enable dzdo as a root delegation option, reach out to your Technical Account Manager or Qualys Support.