what s new in sudo 1 9
play

Whats new in Sudo 1.9? Peter Czanik / One Identity (Balabit) Todd - PowerPoint PPT Presentation

Feb 13, 2024 •175 likes •608 views

Whats new in Sudo 1.9? Peter Czanik / One Identity (Balabit) Todd Miller / One Identity Overview What is sudo? Sudo 1.8 features Whats new in 1.9? 2 What is sudo? Answers, depending on experience and size of environment:

  1. What’s new in Sudo 1.9? Peter Czanik / One Identity (Balabit) Todd Miller / One Identity

  2. Overview ■ What is sudo? ■ Sudo 1.8 features ■ What’s new in 1.9? 2

  3. What is sudo? ■ Answers, depending on experience and size of environment: ■ A tool to complicate life ■ A prefix for administrative commands ■ A way to see who did what 3

  4. What is sudo? ■ Sudo allows a sysadmin to give users the ability to run privileged commands without using a root shell or su. ■ Sudo logs each command run and, optionally, can log the terminal session. ■ Commands run by using the sudo prefix ■ Policy configuration in the “sudoers” file. 4

  5. A Brief History ■ 1980: First version from SUNY/Buffalo ■ 1985: Updated version posted to net.sources ■ 1986: CU-Boulder version ■ Unix System Administrator’s Handbook (Evi Nemeth) ■ 1991: Root Group version ■ 1994: Todd starts making sudo releases ■ 2003: LDAP sudoers support ■ 2010: Session (keystroke) logging ■ 2011: Plugin support (sudo 1.8) ■ 2020: Python plugins, recording server (sudo 1.9) 5

  6. Basic /etc/sudoers %wheel ALL=(ALL) ALL ■ Who ■ Where ■ As which user ■ Which command 6

  7. Aliases ■ Aliases: ■ Simplify configuration ■ Less error-prone Host_Alias WEBSERVERS = www1, www2, www3 User_Alias ADMINS = smith, johnson, williams Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff ADMINS WEBSERVERS = REBOOT 7

  8. Defaults ■ Changes the default behavior: Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin" Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE" Defaults !insults ■ Can be user/host/etc specific Defaults:%wheel insults 8

  9. Insults ■ Fun, but not always PC :) czanik@linux-mewy:~> sudo ls [sudo] password for root: Hold it up to the light --- not a brain in sight! [sudo] password for root: My pet ferret can type better than you! [sudo] password for root: sudo: 3 incorrect password attempts czanik@linux-mewy:~> 9

  10. Digest verification peter ALL = sha244:11925141bb22866afdf257ce7790bd6275feda80b3b2 41c108b79c88 /usr/bin/passwd ■ Modified binaries do not run ■ Difficult to maintain ■ Additional layer of protection 10

  11. Session recording ■ Recording the terminal ■ Play it back ■ Difficult to modify (not cleartext) ■ Easy to delete (saved locally) with unlimited access ■ Stay tuned :) 11

  12. Plugin-based architecture ■ Starting with version 1.8 ■ Replace or extend functionality ■ Both open source and commercial 12

  13. Plugin-based architecture ■ sudo_pair ■ Making sure that no user can enter commands on their own ■ Terminate session on suspicious activity ■ Developed in Rust ■ https://github.com/square/sudo_pair/ 13

  14. Plugin-based architecture ■ Demo of sudo_pair 14

  15. Configuration hints ■ Use visudo for syntax check ■ Use EDITOR to use another text editor :-) ■ A syntactically correct config still does not mean that you can execute anything :-) ■ root password (even for Ubuntu!) 15

  16. Configuration ■ Read from top to bottom ■ Start with generic ■ Add exceptions at the end 16

  17. Sample configuration Defaults !visiblepw Defaults always_set_home Defaults match_group_by_gid Defaults always_query_group_plugin Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin root ALL=(ALL) ALL %wheel ALL=(ALL) ALL Defaults:%wheel insults Defaults !insults Defaults log_output 17

  18. Where is the problem? ■ There was a common mistake 18

  19. Central management ■ Puppet, Ansible, etc. ■ Not real-time ■ Users can modify locally ■ Error-prone ■ LDAP ■ Propagates real-time ■ Can’t be modified locally ■ Many limitations 19

  20. Logging and alerting ■ E-mail alerts ■ All events to syslog ■ Make sure logs are centralized ■ Using syslog-ng sudo logs are automatically parsed and you can also do alerting to Slack, Splunk, Elasticsearch, etc. ■ Debug logs ■ Debug rules ■ Report problems 20

  21. syslog-ng ■ Logging Recording events, such as: Jan 14 11:38:48 linux-0jbu sshd[7716]: Accepted publickey for root from 127.0.0.1 port 48806 ssh2 ■ syslog-ng Enhanced logging daemon with a focus on portability and high- performance central log collection. Originally developed in C. 21

  22. Configuring syslog-ng ■ “Don't Panic” ■ Simple and logical, even if it looks difficult at first ■ Pipeline model: Many different building blocks (sources, destinations, filters, - parsers, etc.) Connected into a pipeline using “log” statements - 22 #GetIAMRight | One Identity - Restricted - Confidential

  23. syslog-ng.conf: getting started @version:3.23 @include "scl.conf" # this is a comment :) options {flush_lines (0); keep_hostname (yes);}; source s_sys { system(); internal();}; destination d_mesg { file("/var/log/messages"); }; filter f_default { level(info..emerg) and not (facility(mail)); }; log { source(s_sys); filter(f_default); destination(d_mesg); }; 23

  24. syslog-ng.conf: sudo building blocks filter f_sudo {program(sudo)}; destination d_test { file("/var/log/sudo.json" template("$(format-json --scope nv_pairs --scope dot_nv_pairs --scope rfc5424)\n\n")); }; destination d_slack { slack(hook- url("https://hooks.slack.com/services/TF8LZ3CSF/BF8CJKVT3/C2qdnMXCwD D3ATOFVMyxMyHB") ); }; 24

  25. syslog-ng.conf: sudo log statement # name-value pairs come from the sudo parser log { source(s_sys); filter(f_sudo); if (match("czanik" value(".sudo.SUBJECT"))) { destination { file("/var/log/sudo_filtered"); }; destination(d_slack); }; destination(d_test); }; 25

  26. sudo logs in Slack 26

  27. New for sudo 1.9 ■ Recording Service: collect sudo IOlogs centrally ■ Audit Plugin: custom logging ■ Approval Plugin: additional conditions ■ Python support for plugins 27

  28. Recording Service ■ Collect sudo IOlogs centrally ■ sudo_logsrvd daemon ■ sudoers I/O log plugin ■ Streamed in real-time ■ Built with Google Protocol Buffers ■ Secured with TLS 1.2/1.3 (optional) ■ Can use sudoreplay as normal 28

  29. Recording Service ■ Why not syslog? ■ Not always reliable ■ Entries could arrive out of order ■ Replay more difficult ■ Max message size varies 29

  30. Recording Service ■ What if server unavailable? ■ Multiple servers can be specified ■ Connection failure can be fatal or ignored ■ Configurable in sudoers ■ Still To-Do ■ Redirect client to less-loaded server ■ Transmit offline logs to server 30

  31. Audit Plugin ■ API to access sudo logging events ■ Accept, Reject, Error and Exit events ■ Minor change to policy and I/O plugin API ■ Plugins now report an error string ■ Multiple audit plugins supported ■ Example audit plugin that outputs JSON ■ Has not replaced sudoers logging 31

  32. Audit Plugin ■ Can log more details than default sudo logs ■ Full details of invoking user ■ Full execution environment ■ Useful from Python ■ Logging/Alerting to Elasticsearch, cloud providers, etc. ■ without external tools (like syslog-ng) 32

  33. Audit Plugin API ■ open() ■ Called before any other plugin ■ Receives user info, original argv and environment ■ close() ■ Called last, just before sudo exits ■ Receives command exit status or signal number ■ show_version() ■ Displays plugin version 33

  34. Audit Plugin API ■ accept() or reject() ■ Called after policy plugin runs ■ and after approval plugin, if any… ■ Receives plugin name and type ■ Also command info and environment (accept only) ■ error() ■ Called if a plugin reports an error ■ Receives plugin name and type ■ Error string describing the problem (newer plugins) 34

  35. Approval Plugin ■ Extra restrictions to run a command ■ Only if the policy plugin succeeded ■ Can add extra policy without replacing sudoers ■ Multiple approval plugins supported ■ All must succeed ■ Simpler API, mostly just a yes/no answer ■ Can interact with the user 35

  36. Approval Plugin ■ Possible uses ■ Time of day restrictions ■ Just in time authorization ■ Could be combined with a permissive sudoers policy ■ Multi factor authentication 36

  37. Approval Plugin API ■ open() ■ User info, original argv and environment ■ check() ■ Command to run, execution environment ■ close() ■ Does not wait for command to complete ■ show_version() ■ Display version 37

  38. Python support ■ Extend sudo using Python ■ Using the same basic APIs as C plugins ■ https://www.sudo.ws/man/sudo_plugin_python.man.html ■ No development environment or compilation is needed ■ python_plugin.so links with a python interpreter ■ Sudo 1.9.0 comes with Python plugin examples 38

  39. IO logs API ■ Demo 39

  40. Not just a prefix, but... 1.8 ■ Fine grained permissions ■ Aliases / Defaults / Digest verification ■ Session recording / Logging and alerting ■ LDAP ■ Plugins 1.9 ■ Python plugins ■ Audit API, Approval API ■ Central session recording collection 40 #GetIAMRight | One Identity - Restricted - Confidential

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Whats new in Sudo 1.8? Pluggable modules for Sudo

Whats new in Sudo 1.8? Pluggable modules for Sudo

Whats new in Sudo 1.8? Pluggable modules for Sudo Introduc=on to Sudo Sudo allows a system administrator to give users the ability

439 views • 24 slides
What you most likely did not know about sudo Peter Czanik / One Identity (Balabit) Overview

What you most likely did not know about sudo Peter Czanik / One Identity (Balabit) Overview

What you most likely did not know about sudo Peter Czanik / One Identity (Balabit) Overview What is sudo From aliases to plugins What is new in 1.9? 2 What is sudo? Answers, depending on experience and size of environment:

580 views • 32 slides
$ sudo tcpdump -i eth0 $ sudo tcpdump -c 5 -i eth0 $ sudo tcpdump

$ sudo tcpdump -i eth0 $ sudo tcpdump -c 5 -i eth0 $ sudo tcpdump

$ sudo tcpdump -i eth0 $ sudo tcpdump -c 5 -i eth0 $ sudo tcpdump -i eth0 not port 22 -a Show all $ netstat -a -n Numeric $ netstat -nr -r Routes -l Listening $ netstat -nalt $ netstat -lx -t

572 views • 55 slides
What you most likely did not know about sudo Peter Czanik / One Identity (Balabit) About me

What you most likely did not know about sudo Peter Czanik / One Identity (Balabit) About me

What you most likely did not know about sudo Peter Czanik / One Identity (Balabit) About me Peter Czanik from Hungary Open Source Evangelist at One Identity -- home of syslog- ng and patron of sudo syslog-ng packaging, support,

421 views • 26 slides
Binding ex post facto Patrick D. Elliott x Yasu Sudo y November 12, 2018 LENLS, Keio University

Binding ex post facto Patrick D. Elliott x Yasu Sudo y November 12, 2018 LENLS, Keio University

Binding ex post facto Patrick D. Elliott x Yasu Sudo y November 12, 2018 LENLS, Keio University Leibniz-Center for General Linguistics x and University College London y Tiis is joint work with Yasu Sudo (University College London). 1 Overview

891 views • 51 slides
Labs #2 WebDev Web ebDe Dev v Lab #1 On your local Ubuntu VM, install the Python and C

Labs #2 WebDev Web ebDe Dev v Lab #1 On your local Ubuntu VM, install the Python and C

Labs #2 WebDev Web ebDe Dev v Lab #1 On your local Ubuntu VM, install the Python and C development tools, then run the app locally sudo apt update sudo apt install python3-dev build-essential git clone

912 views • 62 slides
Loosely-stabilizing Leader Election with Polylogarithmic Convergence Time Yuichi Sudo 1 , Fukuhito

Loosely-stabilizing Leader Election with Polylogarithmic Convergence Time Yuichi Sudo 1 , Fukuhito

OPODIS 2018 Loosely-stabilizing Leader Election with Polylogarithmic Convergence Time Yuichi Sudo 1 , Fukuhito Ooshita 2 , Hirotsugu Kakugawa 1 , Toshimitsu Masuzawa 1 , Ajoy K. Datta 3 , Lawrence L. Larmore 3 1. Osaka University, Japan 2.

758 views • 41 slides
The Effects of Monetary Policy Shocks on Inequality in Japan Masayuki Inui Nao Sudo Tomoaki

The Effects of Monetary Policy Shocks on Inequality in Japan Masayuki Inui Nao Sudo Tomoaki

Motivation Data & Estimation Model Results Conclusion The Effects of Monetary Policy Shocks on Inequality in Japan Masayuki Inui Nao Sudo Tomoaki Yamada 10 November, 2017@Gerzensee The views expressed are those of authors and do

475 views • 45 slides
Bundling KDE 1 / 24 Who am I? 2 / 24 Motivation 3 / 24 Users on supported software 4 / 24

Bundling KDE 1 / 24 Who am I? 2 / 24 Motivation 3 / 24 Users on supported software 4 / 24

Bundling KDE 1 / 24 Who am I? 2 / 24 Motivation 3 / 24 Users on supported software 4 / 24 What? 5 / 24 Installing KDE Applications 6 / 24 Snap sudo snap install kde-frameworks-5 sudo snap install kblocks Harald's Blog 7 / 24

775 views • 24 slides
Muntaseer Billah, Satoru Chatani and Kengo Sudo , S C g S Department of Earth and Environmental

Muntaseer Billah, Satoru Chatani and Kengo Sudo , S C g S Department of Earth and Environmental

Muntaseer Billah, Satoru Chatani and Kengo Sudo , S C g S Department of Earth and Environmental Science Graduate School of Environmental Studies N Nagoya University, Nagoya, Japan U i it N J Presented at the 8th Annual CMAS Conference, Chapel

452 views • 21 slides
Self-Stabilizing Token Distribution with Constant-Space for Trees Yuichi Sudo 1 , Ajoy K. Datta 2

Self-Stabilizing Token Distribution with Constant-Space for Trees Yuichi Sudo 1 , Ajoy K. Datta 2

OPODIS 2018 Self-Stabilizing Token Distribution with Constant-Space for Trees Yuichi Sudo 1 , Ajoy K. Datta 2 , Lawrence L. Larmore 2 , Toshimitsu Masuzawa 1 , 1. Osaka University, Japan 2. The University of Nevada, Las Vegas, USA Token

436 views • 18 slides
Binding back to the future Patrick D. Elliott and Yasu Sudo July 2, 2019 Asymmetries in

Binding back to the future Patrick D. Elliott and Yasu Sudo July 2, 2019 Asymmetries in

Binding back to the future Patrick D. Elliott and Yasu Sudo July 2, 2019 Asymmetries in Language: Presuppositions and beyond Berlin 1 Slides: https://patrl.keybase.pub/slides/berlin-cataphora.pdf 2 L-to-R asymmetry with indefinite

584 views • 32 slides
Malware Nadia Heninger and Deian Stefan UCSD Fall 2019 Some material from Stefan Savage and

Malware Nadia Heninger and Deian Stefan UCSD Fall 2019 Some material from Stefan Savage and

CSE 127: Computer Security Malware Nadia Heninger and Deian Stefan UCSD Fall 2019 Some material from Stefan Savage and David Wagner Vulnerability of the week: Sudo flaw thehackernews.com/2019/10/linux-sudo-run-as-root-flaw.html Today

748 views • 39 slides
When the going gets tough, Get TUF going! Riyaz Faizullabhoy - @riyazdf Motivation What is TUF?

When the going gets tough, Get TUF going! Riyaz Faizullabhoy - @riyazdf Motivation What is TUF?

When the going gets tough, Get TUF going! Riyaz Faizullabhoy - @riyazdf Motivation What is TUF? Using TUF Hermetic Builds Where does software come from? $> _ $>curl | sudo bash $>apt-get install authenticity $>apt-get

1.53k views • 114 slides
Sudoku the Maths of Biology Pr oje c t Santa Mar ia Colle ge Na ta lie , Ale xia , Ng o c ,

Sudoku the Maths of Biology Pr oje c t Santa Mar ia Colle ge Na ta lie , Ale xia , Ng o c ,

Sudoku the Maths of Biology Pr oje c t Santa Mar ia Colle ge Na ta lie , Ale xia , Ng o c , Ge o rg ia , Mic he lle , Cindy T he pr oje c t aim le a rn ho w to so lve a Sudo ku puzzle thro ug h a n ite ra tio n me tho d

396 views • 15 slides
The value of repeatable experiments and negative results Dave Tht Bufferbloat.net Sigcomm CCW

The value of repeatable experiments and negative results Dave Tht Bufferbloat.net Sigcomm CCW

The value of repeatable experiments and negative results Dave Tht Bufferbloat.net Sigcomm CCW Aug 18 th , 2014 Installing netperf-wrapper Linux (debian or ubuntu) sudo apt-get install python-matplotlib python-qt4 fping subversion

690 views • 43 slides
System Security Chapter 29 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide

System Security Chapter 29 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide

System Security Chapter 29 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 29-1 Outline Introduction Policy Networks Users Authentication Processes Files Retrospective Computer Security: Art

951 views • 59 slides
U.S. Department of Housing and Urban Development Office of Housing Counseling Facilitated by

U.S. Department of Housing and Urban Development Office of Housing Counseling Facilitated by

U.S. Department of Housing and Urban Development Office of Housing Counseling Facilitated by Booth Management Consulting 7230 Lee Deforest Drive, Suite 202 Columbia, MD 21046 Timekeeping & Personnel Activity Reporting February 7, 2019

626 views • 39 slides
IP Routing: Interdomain CS/ECE 438: Spring 2014 Instructor: Matthew Caesar

IP Routing: Interdomain CS/ECE 438: Spring 2014 Instructor: Matthew Caesar

IP Routing: Interdomain CS/ECE 438: Spring 2014 Instructor: Matthew Caesar http://courses.engr.illinois.edu/cs438/ Internet Routing So far, only considered routing within a domain Many issues can be ignored in this setting because

1.25k views • 75 slides
Provide avenue for input Participation from: Alexandria Federation of Civic Associations

Provide avenue for input Participation from: Alexandria Federation of Civic Associations

Transportation Planning Administrative Guidelines Update Department of Transportation and Environmental Services Transportation Planning Division Why is the City updating its Guidelines? Provide avenue for input from partner firms and the

551 views • 9 slides
Faculty Activity R eporting Workshop Brought to you by Hanna Jarsocrak, Office of Institutional

Faculty Activity R eporting Workshop Brought to you by Hanna Jarsocrak, Office of Institutional

Faculty Activity R eporting Workshop Brought to you by Hanna Jarsocrak, Office of Institutional R esearch Goals Logging into FAR Access your faculty FARs FTE Calculations& Guidelines Adjusting the activity Submit FAR

510 views • 24 slides
District Grant Training District 5440 Introductions Jim Epstein Fort Collins Rotary Club

District Grant Training District 5440 Introductions Jim Epstein Fort Collins Rotary Club

District Grant Training District 5440 Introductions Jim Epstein Fort Collins Rotary Club Introductions Nancy Pettus Jackson Hole Breakfast Tom Dunn Greeley Centennial Wilton Lyles Fort Collins Breakfast Krishna

373 views • 20 slides
Webinar June 2014 Whats in todays presentation: How to convert your proposal and

Webinar June 2014 Whats in todays presentation: How to convert your proposal and

The Florida Division of Cultural Affairs presents 2014-2015 Grantee Management Webinar June 2014 Whats in todays presentation: How to convert your proposal and budget into a Scope of Work and Deliverables Expenditure logs and

728 views • 37 slides
Invitation to Onboard Parents Gateway Mr Leslie Tan HOD ICT What is Parents Gateway? A digital

Invitation to Onboard Parents Gateway Mr Leslie Tan HOD ICT What is Parents Gateway? A digital

Invitation to Onboard Parents Gateway Mr Leslie Tan HOD ICT What is Parents Gateway? A digital platform (by MOE and GovTech) to bring greater convenience to parents to perform simple administrative functions and receive relevant information

538 views • 18 slides

More recommend