Creating a file, let’s name it root, with the content seen in the screenshot below and executing the command sudo /usr/bin/cp -t /etc/sudoers.d/ root *.pem /etc/ssl/certs allows the user sailpoint to execute any command as root afterwards.
In practice the virtual appliance is a single user system that user is intended to be an administrator. The assignment of a user rather than a root is intended to prevent the installation of unsupported applications.
Hi @pierre_mouallem, while I understand some of your arguments, I think this goes against the “defence in depth” practice, which would definitely be expected from a tool that has “Security” in its name.
I still think that the current sudoers configuration is buggy, by allowing execution of commands that are not supported.
What I am missing from your answer is: “we will carefully review the current sudoers configuration and we will tighten the security around the sudoers file, so that an escalation is not possible anymore”.
SailPoint does not support any actions taken outside of the configured, limited SUDO permissions.
Technically the commands presented are within the configured, limited sudo permissions.
Another argument is that with the incorrect sudoers people can look into how the CCG, VA_Agent works and even manipulate in order to exploit it and have it provision on the company target systems.
this is very worrying. And it was not the answer i was expecting to be honest.