Session: Sudo For Defense: How can new or lesser-known features help you?

Sudo has supported fine-tuned permissions and logging in-depth for many years, even though system administrators often know it only as the “prefix” to use before entering a command requiring root privileges. Recent versions provide even more tools to operate and secure your systems. You can collect session recordings centrally. You can now also extend sudo using Python code to, for example, further restrict authorization, terminate sessions, and alert on suspicious activity.

Learning or guessing a user’s password is relatively easy. That is why attackers know sudo as an easy stepping-stone to administrator access. Earlier versions of sudo already provided in-depth logging in order to spot suspicious activity. Version 1.9 puts even more tools into the hands of administrators and security teams. You can collect session recordings centrally. Plugin support was already available in 1.8 but starting with 1.9 you can also extend sudo using Python code.

This talk gives you an introduction to lesser-known features of sudo and then focuses on new possibilities for system administrators available with version 1.9.

Using sudo does not make much sense without proper logging and alerting. There are three major possibilities:

  • syslog: all events are logged to syslog. For additional security, collect sudo logs centrally, so a malicious user cannot delete them easily.
  • e-mail: sudo can send email alerts on different kinds of failures.
  • debug: in-depth logging of subsystems, mostly useful for developers

Session recording is a fourth possibility. The terminal output can be saved in a file and played back. You can play back what happened, even if the user started up an interactive shell.

Starting with version 1.9, you can collect session recordings centrally. This has many advantages: it is convenient, more available, and provides additional security.
You can also extend sudo in Python. This gives you even more possibilities on the defense side. Using Python code, you can easily query external applications for information. For example, only allow a session if there is an open ticket for it, or when the given sysadmin is on duty according to the HR database.

Python also provides many possibilities to detect suspicious activities. A new API provides you with full access to sudo logs, with even more data than the traditional sudo logs provide, so you can analyze log messages in real-time within sudo. You can also analyze IO logs from Python, including user input and terminal output. This way it is easy to detect suspicious content on the screen, like file names appearing on-screen from a directory which the user was never supposed to access. With a few additional tricks, you can also detect what the user is typing and analyze command lines. You can alert on suspicious activity or even terminate sessions.

As you can see, sudo has several lesser-known features that can make access management and monitoring easier.