Sudo 1.9.16 is now out, containing mostly bug fixes. However, there are also some new features, like the json_compact option I wrote about a while ago. The other major change is, secure_path is now enabled by default in the sudoers file, and there is a new option to fine-tune its content. Before you begin As usual, operating systems usually lag behind with sudo versions. If your OS does not have yet 1.9.16 or later, there is a good chance that you can find a ready to use installer on the sudo...| Sudo
Version 1.9.16 of sudo will introduce a new logging option: json_compact. This does not affect logging to syslog, only logging to files. Previously, sudo created human-readable JSON log files. With this new setting enabled, logs are no longer pretty but can be easily read by logging software. Before you begin As I am writing this blog, version 1.9.16 is not yet released, not even a beta. For now, if you want to test this feature, you will have to compile sudo yourself from source. Once 1.9.16...| Sudo
Version 1.9.15 of sudo gives more detailed information when using the -ll option. For commands, it adds the rule that allows it. Without a command parameter, it lists rules affecting a given user. It also prints which file contains the given rule, making debugging easier. Before you begin Unless you are using a rolling Linux distribution, there is a good chance that sudo 1.9.15 is not yet available for your system. Luckily the sudo project provides you with easy to use binary packages for man...| Sudo
It has been possible to use wildcards in the sudoers file for many years. This can make configuration easier and more flexible, but it also introduces problems of its own. Regular expressions, introduced in in sudo 1.9.10, allow you to create more fine grained rules. From this blog you will learn about some of the problems when you use wildcards in your sudoers file, and how using regular expressions can resolve those problems.| Sudo
Version 1.9 of sudo was released almost two years ago. One of the major new features was support for Python plugins. Previously, you could only extend sudo by coding in C to better suit your environment, which is not the easiest task to manage. Python makes both coding and distributing the results easier. Starting with Safeguard for Sudo 7.2, Python support is also available in an enterprise sudo management solution.| Sudo
Using sudo_logsrvd to centrally collect sudo session recordings from your network is a huge step forward in security: users cannot delete or modify session recordings locally. However, by default, transmission of recordings is not encrypted, making it open to modifications and eavesdropping. Encrypting the connection between sudo and sudo_logsrvd can eliminate these problems. Larger environments usually either have in-house PKI tooling in place, or colleagues who know all openssl options off ...| Sudo
Sudo is an open source application allowing you to execute commands as another user. Safeguard for Privileged Sessions (SPS) by One Identity is commercial software that allows you to control, monitor and record privileged access. Starting with the upcoming SPS version 6.10 you will be able to collect and analyze sudo session recordings in SPS. Overview Session (I/O log) recording has been present in sudo for quite some time, but recordings were only saved locally. Replaying a sudo session lik...| Sudo
Before version 1.9 was released, alterting in sudo was limited to e-mail messages. If you wanted to send alerts somewhere else, like Slack, you could only do this using external applications, like syslog-ng. Beginning with sudo 1.9, there is an Audit API that can be called from Python. Previously, we provided you with a simple example that show how to print some debug information to the terminal. In this blog post we will extend that example with Apprise, a universal Python notification libra...| Sudo
Version 1.9.6 of sudo was released recently. This is primarily a bug fix release with almost no user visible changes. One of the changes visible to developers is that support for fuzz testing was added. What is fuzz testing? According to the Wikipedia: “Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in co...| Sudo
My FOSDEM talk in the BSD devroom showcased what is new in sudo and syslog-ng and explained how to install or compile the software yourself on FreeBSD. I am a long-time FreeBSD user, started with version 1.0 in 1994. But soon after my talk I was asked what I know about the other BSDs. I knew that all BSDs have sudo in their ports system, but had no idea what shape those ports were in.| Sudo
While most of the changes in sudo version 1.9.4 are under the hood, there are some user-visible changes as well. Locating problems in the sudoers file became even easier as the column number is now also displayed when an error is found. There are also two logging related changes. Sudo_logsrvd, the service that collects session recordings centrally, can now also collect rejection log messages, not just information about successful sessions. It is now also possible to log events in JSON format.| Sudo
Version 1.9.3 brought many improvements to how the sudoers file is handled. Zero-length files are not saved by sudoedit, in many cases error messages are more accurate, and sudo no longer refuses to run if there is a syntax error. Let’s take a more detailed look at these changes! Before you begin These new features were introduced in sudo version 1.9.3. There is a good chance that your operating system includes an older version of sudo. You can download ready-to-use binaries for many differ...| Sudo
Starting with sudo 1.9.3, you can change both the root and the working directories within sudo itself. Neither option is enabled by default–you need to explicitly enable them in the sudoers file. When enabled, you can fine-tune target directories or allow your users to specify the directory to use. The logs reflect when these settings have been used. Before you begin These new features were introduced in sudo version 1.9.3. There is a good chance that your operating system includes an older...| Sudo
The default sudoers file gives one group of users full control over your machine: %wheel ALL=(ALL) ALL Once it is not just you and your best friend administering a machine, you will start to give more fine-grained privileges to administrators. All fields in the above configuration line can be replaced by a list of values. A list of user names, a list of host names, a list of commands, and so on. Soon you will copy and paste these lists around in your sudoers file. It looks simple and manageab...| Sudo
Using the sudo group plugin, you can connect sudo to external systems and approve commands based on non-UNIX groups. For example, Authentication Services by One Identity uses this solution. Starting with version sudo 1.9, you can also write group plugins in Python. You can use this to check databases or APIs if the admin trying to run a command is a member of a group. This way you can check, for example, if an admin is on duty.| Sudo
Sudo 1.9 is now feature complete. One of the new features is Python support, meaning that you can easily extend sudo functionality using Python scripts. It supports the very same APIs as the regular C plugin API, only the language is different. One of the more interesting APIs is the IO logging API, which provides access to terminal data in real-time, both input and output. This way you can check if a sudo user is accessing data that he should not, or analyze the commands entered and terminat...| Sudo
After I finish a talk on sudo at a conference, I usually receive quite a few questions. Many of the answers I gave earlier were already included in the latest version of my sudo talk. The following is a collection of questions and answers from different conferences. How can I change the insults (the funny messages displayed when someone enters the wrong password) of sudo? Right now the insult messages are hard-coded. There are plans to use an external file for them, but obviously this change ...| Sudo
If there is one utility installed on almost all Linux/UNIX systems, it is sudo. Still, most sudo users – including myself until a year ago – only know this app as the prefix for administrative commands and using the default configuration. By the end of this blog you will know that it is a lot more. After a brief introduction to sudo you can learn a number of lesser know sudo features: digest check, configuration in LDAP, session recording, extensive logging and even plugins The current bl...| Sudo
Learn about What You Most Likely Did Not Know About Sudo… at this year’s All Things Open conference. If you have not heard about it yet, All Things Open is one of the largest open source events on the US East Coast. This year the conference is October 13-15, in the area known as the Research Triangle. People from all aspects of open source participate: users, developers, decision makers and as the name of the area implies, many people from research.| Sudo
There are situations where you cannot avoid giving a user full shell access through sudo. A shell with administrative privileges gives complete control over your hosts. Until recently, sudo could only log the start of the shell, not the commands executed within it. You could record sessions with sudo, but watching recordings is boring, time consuming and can still be subverted. Version 1.9.8 introduced logging of sub-commands, but that is not yet available on many systems. An alternate approa...| Sudo
sudo-blog --| www.sudo.ws
Version 1.9.13 of sudo adds the list pseudo-command. Previously, only root or a user with the ability to run any command as either root or the target user could list privileges. Using the list pseudo-command it is possible to list the privileges of another user without any additional privileges, thus tightening security even more. Before you begin Unless you are using a rolling Linux distribution, there is a good chance that sudo 1.9.13 is not yet available for your system. Luckily the sudo p...| Sudo
One of the recurring questions at conferences was whether there is a way to check cached sudo credentials without updating them. Version 1.9.12 of sudo introduces the -N option which makes this possible, and also allows running any commands without updating the cached credentials. Before you begin The -N option was introduced in sudo version 1.9.12. There is a good chance that your choice of operating system still has an older version of sudo. You can easily compile sudo from source, however,...| Sudo
Sudo is one of the most used command line tools in the Linux / UNIX / macOS world. It gives users the ability to execute commands as another user. Most often it is used to gain root (administrator) privileges. Sudo was created when there were a small number of independent large systems. Some support for multiple hosts, central management and monitoring were later added to it. These tools do their jobs, however large enterprises require ease of use, reporting and monitoring.| Sudo
Version 1.9.8 of sudo introduced support for logging and intercepting sub-commands. These features quickly became very popular. The original implementation is portable, however it also has a number of limitations. Version 1.9.11 of sudo introduced an alternative, Linux-specific, implementation that allows sudo to detect sub-commands in even more situations. Before you begin Version 1.9.11 of sudo was released very recently. There is a good chance that your OS of choice still has an earlier ve...| Sudo
Session recording has been available in sudo for many years, however not many people are aware of it. Even less well-known is that you can save not just the terminal output, but also what the user types. That way you can analyze what the user is doing within a shell session. Recordings may also include user passwords, which is not always desirable. Version 1.9.10 of sudo allows you to hide passwords in session recordings if it recognizes a password entry.| Sudo
We learned in my previous sudo blog that cvtsudoers is not just for LDAP. Version 1.9.9 of sudo extends the querying possibilities of cvtsudoers further and adds a brand new feature: merging multiple sudoers files into one. Both are especially useful when you have complex configurations. Querying lets you to better understand what the various rules allow in your sudoers file. Merging helps you to combine multiple configurations into one, so you do not have to maintain a separate sudoers file ...| Sudo
The main feature of cvtsudoers is that it can convert between the sudoers file format and LDAP’s LDIF file format. As I do not use LDAP in my lab environment I stopped caring about cvtsudoers after I read the first few lines of its man page. However, cvtsudoers has additional features useful even without LDAP: querying the sudoers file and printing permissions belonging to a given user or host. Before you begin I must admit, I have no idea which version of sudo introduced the filtering (-m)...| Sudo
A month ago, when sudo 1.9.8 was still under development, we checked out the new log_subcmds option. It allows you log all commands (with some limitations) that are executed by a command started through sudo. For example, you can see if a shell was started through a text editor. The intercept option brings this one step further: you can prevent sub-commands from even running. Before you begin To use sudo’s intercept option you need sudo 1.9.8 (or later). At the time of writing it is not ava...| Sudo
Sudo development is at version 1.9.8 beta 3. There are two major new features: sudo can intercept sub-commands and log sub-commands. In this quick teaser I introduce you to log_subcmds. I hope it is interesting enough for you to test it out and provide feedback. So, what is log_subcmds good for? There are many UNIX tools that can spawn external applications. You only see vi in the logs, but can you be sure without session recording that your admin only edits what he is supposed to? With log_s...| Sudo
Relay mode was introduced to sudo_logsrvd in sudo version 1.9.7. But, first of all, what is sudo_logsrvd? It is the sudo recording service that allows you to collect sudo session recordings centrally. Using relay mode makes it possible to collect sudo session recordings even when the central service is inaccessible and provides you with a single exit point from your network. In this blog you will learn why relay mode is important and how you can test it.| Sudo
While FreeBSD does not install sudo as part of the base system, you can easily install it yourself. If you do not need anything more than basic functionality, you can install the binary package using the pkg command. Most users belong to this group. If you need advanced functionality, like Python support, you will have to compile sudo yourself from ports. Are you surprised by the mention of basic and advanced functionality for sudo? If yes, read my article about what is new in sudo 1.9. Besid...| Sudo
Version 1.9 of sudo introduced the approval plugin API, making it possible to have extra restrictions before executing a command. These only run after the policy plugin has succeeded, so you can effectively add additional layers of policy without replacing the policy plugin and sudoers. Multiple approval plugins may be defined, and all must succeed in order for the command to be executed. In this blog you will find a simple Python script utilizing the approval API. It implements a simple chec...| Sudo
Version 1.9 of sudo introduced a new API to access audit information. This is not a user-visible feature. In other words, you cannot use it directly from the sudoers file. It is an API, meaning that you can access audit information from plugins, including ones written in Python. You can use it in many different ways, like sending events from sudo directly to Elasticsearch or LaaS when something interesting happens. You can also use it for debugging and print otherwise difficult to access info...| Sudo
Version 1.9 of sudo is now feature complete: all major features are implemented. On the other hand, sudo 1.9 needs testing and a bit of polishing before it can be made generally available. This is where you can help. Testing is easy, as for most platforms the project provides ready-to-install packages. In this blog I will show you how to test the recording service. For an overview of 1.9 features see What is coming up in sudo 1.9? To get started with Python support in sudo, including compile ...| Sudo
One of the most interesting new features of the upcoming sudo version 1.9 is Python support. While version 1.8 introduced plugin support, Python support means that you can extend sudo using the same APIs but write plugins in Python instead of C. Version 1.9 is still under development but you are encouraged to test it and provide feedback about your experiences. From this blog, you can learn how to install ready to use beta quality packages from the sudo website, how to compile it yourself (on...| Sudo
I guess it is not an overstatement to say that many interesting new features are coming to sudo in version 1.9. On the other hand, most sudo users are still only aware of its basic functionality. In this blog I would like to draw your attention to my Opensource.com article, which describes some lesser known features of sudo. Finally, I will point you to four upcoming conference talks about different aspects of sudo.| Sudo
This blog helps you to get started with configuring sudo and learn how to avoid the most common mistakes. But the title “getting started with sudo” sounds a lot less interesting :-) Based on responses to my talks, one of the most popular configuration option of sudo is insults. You should not think about anything serious here: just some funny messages when a user mistypes a password. But as some users find these messages inappropriate, these are now disabled by default, but can be enabled...| Sudo
Let me tell you a personal story, how this blog was born. First a bit of introduction. I am Peter Czanik, working for the past nine years as syslog-ng evangelist at Balabit. Obviously I also deal with the commercial variant, but my focus is Open Source. That is one of the reasons why I was very happy to learn that Todd Miller, developer of the sudo application, became my colleague when Balabit was acquired by One Identity last year.| Sudo
Sudo had many features to help blue teams in their daily job even before 1.9 was released. Session recordings, plugins and others made sure that most administrative access could be controlled and problems easily detected. Version 1.9 introduced Python support, new APIs, centralized session recordings, however some blind spots still remained. Learn how some of the latest sudo features can help you to better control and log administrative access to your hosts. You will learn about JSON logging ...| Sudo