»What you most likely did not know about sudo…«
2019-05-04, 12:00–12:50, Room B

Sudo is installed by default on almost all Linux system, still even system administrators often only know it is the “prefix” to use before entering a command requiring root privileges. Learn how much more this simple looking tool can do!

Everybody knows sudo, right? Sudo allows a system administrator to give certain users the ability to run some commands as root, while logging the executed commands and their arguments. It is installed by default on almost all Linux systems, and is available for most commercial UNIX systems. Still, even system administrators often only know it is the “prefix” to use before entering a command requiring root privileges. Learn how much more this simple looking tool can do! Most of the times the default configuration allows a group of users to run any commands: %wheel ALL=(ALL) ALL It’s a good first step, better than using the root account directly. This way you can trace who ran what commands on the system. But there are a lot more possibilities when configuring sudo, making your system more secure. Life is simple when when you have to give access a single user to a single command. But as soon as you have multiple users with the same access rights, it is not just shorter but also easier to maintain, if you use aliases. For added security, you can add a hash of binaries to sudo. This way if the binary changes for any reasons, like modifying it through a successful exploit, you can prevent it from being used.

Using sudo does not make much sense without proper logging and alerting. There are three major possibilities: - syslog: all events are logged to syslog. For additional security, collect sudo logs centrally, so a malicious user cannot delete them easily. - e-mail: sudo can send e-mail alerts on different kinds of failures - debug: in depth logging of subsystems, mostly useful for developers Session recording is a fourth possibility. The terminal output can be saved in a local file and played back. You can play back what happened, even if the user started up an interactive shell.

Instead of maintaining the sudoers file on each of your systems, you can use LDAP to configure sudo. It has some differences compared to a sudoers file, but also many advantages: - local users cannot manipulate the rules, - is easier to maintain, - goes live immediately.

Starting with version 1.8, sudo has a plugin-based architecture. You can replace or extend sudo functionality using plugins. This way users can keep starting applications the usual way using sudo, but have a different configuration or policy engine behind the sudo command. There are both open source and commercial plugins available. For example the sudo_pair plugin – developed in Rust – enables monitoring and makes it possible to require interactive approval of sessions.

As you can see, sudo has several lesser-known features that can make monitoring and access management easier for large organizations.

See also: Slides