Everyone who is adept in Linux or Unix knows what the sudo command offers when it is in their toolkit. Once you have “sudo rights” as it is normally called, then you can roll and roll and brandish the big guns. You can issue all commands, shoot all the bullets and unsheath all Linux/Unix swords just like the system administrator. With great power that this simple command proffers, One Identity, the company working tirelessly to improve the utility has come up with sudo version 1.9 with improved logging, auditing, risk-awareness, and revved up security.
Thanks to One Identity, sudo has the following new features:
1. An included logging daemon sudo_logsrvd
This logging daemon can be used to implement centralized logging of input/output logs. This is a gold-mine for enterprises especially. With centralised logging, it is now easier to visualize what is taking place in your server as far as the usage of sudo is concerned.
2. Support for TLS
The sending of logs to a centralized server can now be done over a secured TLS channel which improves security. This feature is activated when sudo is configured with the –enable-openssl option.
The new sudo_sendlog utility can be used to test sudo_logsrvd or send existing sudo I/O logs to a centralized server.
3. Supports an audit plugin type.
From the documentation, an audit plugin receives accept, reject, exit and error messages and can be used to implement custom logging that is independent of the underlying security policy. Nevertheless, third-party plugins can be created and used with this feature to for example view detailed information about sudo sessions and benchmark them against policies within an organization. This will aid in the implementation of best practices with rich auditing available.
4. Supports an approval plugin type.
In case you had ever wished that certain commands done with sudo would be better executed after being authorized by and administrator, then you are lucky. You can now write custom plugins that you can use with this approval plugin such that authorization has to be granted before certain commands are executed or not. From the documentation, an approval plugin is run only after the main security policy (such as sudoers) accepts a command to be run. The approval policy may perform additional checks, potentially interacting with the user. Multiple approval plugins may be specified in the sudo.conf file. Only if all approval plugins succeed will the command be allowed.
5. New Python support
Python support means that you can extend sudo using the same APIs but write plugins in Python instead of C when sudo is configured with the –enable-python option.
6. New PAM Session settings
The new pam_ruser and pam_rhost sudoers settings can be used to enable or disable setting the PAM remote user and/or host values during PAM session setup.
sudo and sudo_logsrvd now create an extended input/output log info file in JSON format that contains additional information about the command that was run, such as the environemt in which it was issued (hostname).
7. Sudoreplay utility can now match on a host name in list mode.
sudoreplay utility is used to play back or list the output logs created by sudo. When replaying, sudoreplay can play the session back in real-time. The list output now also includes the host name if one is present in the log file.
8. Bug fixes
As it can be anticipated with new software releases, there are bug fixes in then new sudo release. Some of the fixes inlcude:
- Fixed test failure in the strsig_test on FreeBSD
- For sudo -i, if the target user’s home directory does not exist, sudo will now warn about the problem but run the command in the current working directory. Previously, this was a fatal error.
- And others.
Reference: https://www.sudo.ws/stable.html#1.9.0
The new sudo is simply impressive. Taking into consideration that it can be used with resultant fatalities in the wrong hands, the new features are a big boost to the safety of your systems and the entire organization depending on them. In order to mitigate bad experiences with awful sudo usages in the past, update your systems to get the new version and configure it to suit your specific requirements. The features above present major changes and there are others that have not been covered therein. For a fully comprehensive list of changes, visit sudo release page to find out more.
Other people read the following:
Protecting Your Online Business in 2019
