Hello,
with IPA v4.10.0 on RHEL 9.1, the IPA servers are configured with the security profile ANSSI-BP-028 (high) which mandates the sudo Defaults 'noexec' (commands cannot execute subprocesses). Along with other restrictive Defaults, it has been set automatically by OpenSCAP during OS installation, in the /etc/sudoers file.
But there are quite a few situations where we need EXEC rights (typically some IPA utilities, such as ipa-healthcheck).
During the initial configuration of the systems we had a local 'install' user, in the wheel group, and to which we gave blanket sudo EXEC rights. But now that IPA is up and running, I am struggling to configure working around the 'noexec' Defaults for real operators managed by IPA.
I have tried three approaches, which all failed:
1) In an IPA sudo rule, configure Options to override the 'noexec' Defaults.
I tried with both
!noexec
-=noexec
but it had no effect and I did not see it listed in sudo -l, and noexec was still there.
2) In an IPA sudo command definition, add EXEC.
That is, I created an IPA sudo command with the value:
EXEC: ALL
but this command appeared with the : escaped by \:
(ALL : ALL) EXEC\: ALL
3) In an IPA sudo rule, use the 'ignore_local_sudoers' Option.
The sudoers man page says "If set via LDAP, parsing of /etc/sudoers will be skipped. This is intended for Enterprises [...]".
This could be an appropriate approach to reconstitute these Security Profiles constraints centrally in IPA instead of locally, but the 'ignore_local_sudoers' Option does not seem to be picked up: sudo -l keep showing the Defaults configured locally (including 'noexec')
Am I doing something wrong?
What would be the best approach to pursue?
More generally, I noticed that changes in the IPA sudo rules are not effective immediately, even after a logout/login.
Is there some caching? Or should I restart a service?
If I reboot the system, the changes are taken, but this is a bit heavy.
Thanks in advance!
Mathieu