There are situations where you cannot avoid giving a user full shell access through sudo. A shell with administrative privileges gives complete control over your hosts. Until recently, sudo could only log the start of the shell, not the commands executed within it. You could record sessions with sudo, but watching recordings is boring, time consuming and can still be subverted. Version 1.9.8 introduced logging of sub-commands, but that is not yet available on many systems. An alternate approa...| Sudo
Version 1.9.13 of sudo adds the list pseudo-command. Previously, only root or a user with the ability to run any command as either root or the target user could list privileges. Using the list pseudo-command it is possible to list the privileges of another user without any additional privileges, thus tightening security even more. Before you begin Unless you are using a rolling Linux distribution, there is a good chance that sudo 1.9.13 is not yet available for your system. Luckily the sudo p...| Sudo
One of the recurring questions at conferences was whether there is a way to check cached sudo credentials without updating them. Version 1.9.12 of sudo introduces the -N option which makes this possible, and also allows running any commands without updating the cached credentials. Before you begin The -N option was introduced in sudo version 1.9.12. There is a good chance that your choice of operating system still has an older version of sudo. You can easily compile sudo from source, however,...| Sudo
Sudo is one of the most used command line tools in the Linux / UNIX / macOS world. It gives users the ability to execute commands as another user. Most often it is used to gain root (administrator) privileges. Sudo was created when there were a small number of independent large systems. Some support for multiple hosts, central management and monitoring were later added to it. These tools do their jobs, however large enterprises require ease of use, reporting and monitoring.| Sudo
Version 1.9.8 of sudo introduced support for logging and intercepting sub-commands. These features quickly became very popular. The original implementation is portable, however it also has a number of limitations. Version 1.9.11 of sudo introduced an alternative, Linux-specific, implementation that allows sudo to detect sub-commands in even more situations. Before you begin Version 1.9.11 of sudo was released very recently. There is a good chance that your OS of choice still has an earlier ve...| Sudo
Session recording has been available in sudo for many years, however not many people are aware of it. Even less well-known is that you can save not just the terminal output, but also what the user types. That way you can analyze what the user is doing within a shell session. Recordings may also include user passwords, which is not always desirable. Version 1.9.10 of sudo allows you to hide passwords in session recordings if it recognizes a password entry.| Sudo
We learned in my previous sudo blog that cvtsudoers is not just for LDAP. Version 1.9.9 of sudo extends the querying possibilities of cvtsudoers further and adds a brand new feature: merging multiple sudoers files into one. Both are especially useful when you have complex configurations. Querying lets you to better understand what the various rules allow in your sudoers file. Merging helps you to combine multiple configurations into one, so you do not have to maintain a separate sudoers file ...| Sudo
The main feature of cvtsudoers is that it can convert between the sudoers file format and LDAP’s LDIF file format. As I do not use LDAP in my lab environment I stopped caring about cvtsudoers after I read the first few lines of its man page. However, cvtsudoers has additional features useful even without LDAP: querying the sudoers file and printing permissions belonging to a given user or host. Before you begin I must admit, I have no idea which version of sudo introduced the filtering (-m)...| Sudo
A month ago, when sudo 1.9.8 was still under development, we checked out the new log_subcmds option. It allows you log all commands (with some limitations) that are executed by a command started through sudo. For example, you can see if a shell was started through a text editor. The intercept option brings this one step further: you can prevent sub-commands from even running. Before you begin To use sudo’s intercept option you need sudo 1.9.8 (or later). At the time of writing it is not ava...| Sudo
Sudo development is at version 1.9.8 beta 3. There are two major new features: sudo can intercept sub-commands and log sub-commands. In this quick teaser I introduce you to log_subcmds. I hope it is interesting enough for you to test it out and provide feedback. So, what is log_subcmds good for? There are many UNIX tools that can spawn external applications. You only see vi in the logs, but can you be sure without session recording that your admin only edits what he is supposed to? With log_s...| Sudo
Relay mode was introduced to sudo_logsrvd in sudo version 1.9.7. But, first of all, what is sudo_logsrvd? It is the sudo recording service that allows you to collect sudo session recordings centrally. Using relay mode makes it possible to collect sudo session recordings even when the central service is inaccessible and provides you with a single exit point from your network. In this blog you will learn why relay mode is important and how you can test it.| Sudo
While FreeBSD does not install sudo as part of the base system, you can easily install it yourself. If you do not need anything more than basic functionality, you can install the binary package using the pkg command. Most users belong to this group. If you need advanced functionality, like Python support, you will have to compile sudo yourself from ports. Are you surprised by the mention of basic and advanced functionality for sudo? If yes, read my article about what is new in sudo 1.9. Besid...| Sudo
Version 1.9 of sudo introduced the approval plugin API, making it possible to have extra restrictions before executing a command. These only run after the policy plugin has succeeded, so you can effectively add additional layers of policy without replacing the policy plugin and sudoers. Multiple approval plugins may be defined, and all must succeed in order for the command to be executed. In this blog you will find a simple Python script utilizing the approval API. It implements a simple chec...| Sudo
Version 1.9 of sudo introduced a new API to access audit information. This is not a user-visible feature. In other words, you cannot use it directly from the sudoers file. It is an API, meaning that you can access audit information from plugins, including ones written in Python. You can use it in many different ways, like sending events from sudo directly to Elasticsearch or LaaS when something interesting happens. You can also use it for debugging and print otherwise difficult to access info...| Sudo
Version 1.9 of sudo is now feature complete: all major features are implemented. On the other hand, sudo 1.9 needs testing and a bit of polishing before it can be made generally available. This is where you can help. Testing is easy, as for most platforms the project provides ready-to-install packages. In this blog I will show you how to test the recording service. For an overview of 1.9 features see What is coming up in sudo 1.9? To get started with Python support in sudo, including compile ...| Sudo
One of the most interesting new features of the upcoming sudo version 1.9 is Python support. While version 1.8 introduced plugin support, Python support means that you can extend sudo using the same APIs but write plugins in Python instead of C. Version 1.9 is still under development but you are encouraged to test it and provide feedback about your experiences. From this blog, you can learn how to install ready to use beta quality packages from the sudo website, how to compile it yourself (on...| Sudo
I guess it is not an overstatement to say that many interesting new features are coming to sudo in version 1.9. On the other hand, most sudo users are still only aware of its basic functionality. In this blog I would like to draw your attention to my Opensource.com article, which describes some lesser known features of sudo. Finally, I will point you to four upcoming conference talks about different aspects of sudo.| Sudo
This blog helps you to get started with configuring sudo and learn how to avoid the most common mistakes. But the title “getting started with sudo” sounds a lot less interesting :-) Based on responses to my talks, one of the most popular configuration option of sudo is insults. You should not think about anything serious here: just some funny messages when a user mistypes a password. But as some users find these messages inappropriate, these are now disabled by default, but can be enabled...| Sudo
Let me tell you a personal story, how this blog was born. First a bit of introduction. I am Peter Czanik, working for the past nine years as syslog-ng evangelist at Balabit. Obviously I also deal with the commercial variant, but my focus is Open Source. That is one of the reasons why I was very happy to learn that Todd Miller, developer of the sudo application, became my colleague when Balabit was acquired by One Identity last year.| Sudo
Sudo had many features to help blue teams in their daily job even before 1.9 was released. Session recordings, plugins and others made sure that most administrative access could be controlled and problems easily detected. Version 1.9 introduced Python support, new APIs, centralized session recordings, however some blind spots still remained. Learn how some of the latest sudo features can help you to better control and log administrative access to your hosts. You will learn about JSON logging ...| Sudo