What is coming in sudo 1.9.8?
Sudo development is at version 1.9.8 beta 3. There are two major new features: sudo can intercept sub-commands and log sub-commands. In this quick teaser I introduce you to log_subcmds. I hope it is interesting enough for you to test it out and provide feedback.
So, what is log_subcmds good for? There are many UNIX tools that can spawn external applications. You only see vi
in the logs, but can you be sure without session recording that your admin only edits what he is supposed to? With log_subcmds you can see all the commands started from an application run through sudo. Or you can see all the commands started from a shell, even without session recording.
This is a beta release. As usual, nobody can guarantee that it does not eat your machine for breakfast. However, it works fine in my test environment: I run it on my primary work laptop.
With a bit of luck you can find ready to use binary packages for your operating system on the sudo website. If not, installing sudo from source is usually not too difficult. You can find information about new features, references to source and development packages at https://www.sudo.ws/dist/beta/packages/index.html.
Personally I went a third route: I built packages myself for openSUSE: https://build.opensuse.org/package/show/home:czanik:branches:Base:System/sudo. If you read this blog after the 1.9.8 release, this repository may already have been removed. Compared to the 1.9.7 package there was a single line added to the spec file:
%{_libexecdir}/%{name}/%{name}/sudo_intercept.so
To configure sudo for sub-command logging all you have to do is to start visudo and add the following line to the sudoers file:
Defaults log_subcmds
Save your configuration and you are ready to go. If you do not just grep your log messages but actually store them no a NoSQL database or a cloud logging as a service provider, you might want to configure JSON formatted logging as well. Logs will be less human readable, however they will contain more information. This requires an extra line in sudoers:
Defaults log_format=json
First test without enabling sub-command logging. I used my favorite text editor, joe
to edit a file through sudo and then started a shell. This is what I see on my screen while running a shell from within joe
:
I Unnamed (Modified) Row 14 Col 1
czplaptop:/home/czanik # id
uid=0(root) gid=0(root) groups=0(root)
czplaptop:/home/czanik # ls /usr/share/syslog-ng/include/scl/
apache ewmm logmatic snmptrap
cee fortigate mbox solaris
checkpoint graphite netskope sudo
cim graylog2 nodejs sumologic
cisco iptables osquery syslogconf
collectd junos pacct system
default-network-drivers linux-audit paloalto telegram
discord loadbalancer rewrite websense
elasticsearch loggly slack windowseventlog
czplaptop:/home/czanik # exit
And this is what I found in the logs.
Aug 30 13:03:00 czplaptop sudo[10150]: czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/joe
And here is what you see in the logs when you enable logging sub-commands in sudoers (still without JSON formatting) and doing exactly the same as previously:
Aug 30 13:13:14 czplaptop sudo[10874]: czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/joe
Aug 30 13:13:37 czplaptop sudo[10874]: czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/bin/sh -c /bin/bash
Aug 30 13:13:37 czplaptop sudo[10874]: czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/bin/bash
Aug 30 13:13:37 czplaptop sudo[10874]: czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/readlink /proc/10889/exe
Aug 30 13:13:37 czplaptop sudo[10874]: czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/dircolors -b /etc/DIR_COLORS
Aug 30 13:13:37 czplaptop sudo[10874]: czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/tput hs
Aug 30 13:13:37 czplaptop sudo[10874]: czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/tput -T dumb+sl hs
Aug 30 13:13:37 czplaptop sudo[10874]: czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/tput bold
Aug 30 13:13:37 czplaptop sudo[10874]: czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/tput setaf 1
Aug 30 13:13:37 czplaptop sudo[10874]: czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/tput sgr0
Aug 30 13:13:37 czplaptop sudo[10874]: czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/sbin/ip --color=auto -V
Aug 30 13:13:37 czplaptop sudo[10874]: czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/readlink /proc/10889/exe
Aug 30 13:13:37 czplaptop sudo[10874]: czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/tty
Aug 30 13:13:37 czplaptop sudo[10874]: czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/uname -m
Aug 30 13:13:37 czplaptop sudo[10874]: czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/bin/uname -n
Aug 30 13:13:37 czplaptop sudo[10874]: czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/bin/uname -m
Aug 30 13:13:37 czplaptop sudo[10874]: czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/manpath -q
Aug 30 13:13:37 czplaptop sudo[10874]: czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/flatpak --installations
Aug 30 13:13:37 czplaptop sudo[10874]: czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/cat /etc/sysconfig/mpi-selector
Aug 30 13:13:37 czplaptop sudo[10874]: czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/sed -r s@/*:|([^\\]):@\1\n@g;H;x;s@/\n@\n@
Aug 30 13:13:37 czplaptop sudo[10874]: czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/tty
Aug 30 13:13:42 czplaptop sudo[10874]: czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/id
Aug 30 13:13:56 czplaptop sudo[10874]: czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/ls -A -N --color=none -T 0 /usr/share/syslog-ng/include/scl/
The two sessions were exactly the same, but from the logs of the second session we can see that a lot more is going on. At first it might be scary, but most of the lines are just commands running from the bash profile, except for the last two.
Enabling JSON formatting gives you additional information in the logs. Here I show a single log message: JSON formatted logs would fill many pages :-)
Aug 30 13:29:28 czplaptop sudo[11740]: @cee:{"sudo":{"accept":{"uuid":"18f25b2438-0c44-ddaf-a264-c70998d319","server_time":{"seconds":1630322968,"nanoseconds":124534283,"iso8601":"20210830112928Z","localtime":"Aug 30 11:29:28"},"submit_time":{"seconds":1630322965,"nanoseconds":357407987,"iso8601":"20210830112925Z","localtime":"Aug 30 11:29:25"},"submituser":"czanik","command":"/usr/bin/joe","runuser":"root","runcwd":"/home/czanik","ttyname":"/dev/pts/1","submithost":"czplaptop","submitcwd":"/home/czanik","runuid":0,"columns":80,"lines":24,"runargv":["joe","/etc/issue"],"runenv":["LANG=en_US.UTF-8","COLORTERM=truecolor","TERM=xterm-256color","MAIL=/var/mail/root","PATH=/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin:/usr/local/sbin","LOGNAME=root","USER=root","HOME=/root","SHELL=/bin/bash","SUDO_COMMAND=/usr/bin/joe /etc/issue","SUDO_USER=czanik","SUDO_UID=1000","SUDO_GID=100"]}}}
You learned the advantages of logging sub-commands. Read the docs to learn about command interception. If you run into any problems, report them to the sudo-workers mailing list.
If you would like to be notified about new posts and sudo news, sign up for the sudo blog announcement mailing list.