Sudo
GitHub Blog Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

What is coming in sudo 1.9.8?

Sudo development is at version 1.9.8 beta 3. There are two major new features: sudo can intercept sub-commands and log sub-commands. In this quick teaser I introduce you to log_subcmds. I hope it is interesting enough for you to test it out and provide feedback.

So, what is log_subcmds good for? There are many UNIX tools that can spawn external applications. You only see vi in the logs, but can you be sure without session recording that your admin only edits what he is supposed to? With log_subcmds you can see all the commands started from an application run through sudo. Or you can see all the commands started from a shell, even without session recording.

Before you begin

This is a beta release. As usual, nobody can guarantee that it does not eat your machine for breakfast. However, it works fine in my test environment: I run it on my primary work laptop.

With a bit of luck you can find ready to use binary packages for your operating system on the sudo website. If not, installing sudo from source is usually not too difficult. You can find information about new features, references to source and development packages at https://www.sudo.ws/dist/beta/packages/index.html.

Personally I went a third route: I built packages myself for openSUSE: https://build.opensuse.org/package/show/home:czanik:branches:Base:System/sudo. If you read this blog after the 1.9.8 release, this repository may already have been removed. Compared to the 1.9.7 package there was a single line added to the spec file:

%{_libexecdir}/%{name}/%{name}/sudo_intercept.so

Configuring sudo

To configure sudo for sub-command logging all you have to do is to start visudo and add the following line to the sudoers file:

Defaults log_subcmds

Save your configuration and you are ready to go. If you do not just grep your log messages but actually store them no a NoSQL database or a cloud logging as a service provider, you might want to configure JSON formatted logging as well. Logs will be less human readable, however they will contain more information. This requires an extra line in sudoers:

Defaults log_format=json

Testing

First test without enabling sub-command logging. I used my favorite text editor, joe to edit a file through sudo and then started a shell. This is what I see on my screen while running a shell from within joe:

    I    Unnamed (Modified)                                    Row 14   Col 1   
czplaptop:/home/czanik # id
uid=0(root) gid=0(root) groups=0(root)
czplaptop:/home/czanik # ls /usr/share/syslog-ng/include/scl/
apache                   ewmm          logmatic  snmptrap
cee                      fortigate     mbox      solaris
checkpoint               graphite      netskope  sudo
cim                      graylog2      nodejs    sumologic
cisco                    iptables      osquery   syslogconf
collectd                 junos         pacct     system
default-network-drivers  linux-audit   paloalto  telegram
discord                  loadbalancer  rewrite   websense
elasticsearch            loggly        slack     windowseventlog
czplaptop:/home/czanik # exit

And this is what I found in the logs.

Aug 30 13:03:00 czplaptop sudo[10150]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/joe

And here is what you see in the logs when you enable logging sub-commands in sudoers (still without JSON formatting) and doing exactly the same as previously:

Aug 30 13:13:14 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/joe
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/bin/sh -c /bin/bash
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/bin/bash
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/readlink /proc/10889/exe
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/dircolors -b /etc/DIR_COLORS
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/tput hs
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/tput -T dumb+sl hs
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/tput bold
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/tput setaf 1
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/tput sgr0
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/sbin/ip --color=auto -V
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/readlink /proc/10889/exe
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/tty
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/uname -m
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/bin/uname -n
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/bin/uname -m
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/manpath -q
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/flatpak --installations
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/cat /etc/sysconfig/mpi-selector
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/sed -r s@/*:|([^\\]):@\1\n@g;H;x;s@/\n@\n@
Aug 30 13:13:37 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/tty
Aug 30 13:13:42 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/id
Aug 30 13:13:56 czplaptop sudo[10874]:   czanik : TTY=pts/1 ; PWD=/home/czanik ; USER=root ; COMMAND=/usr/bin/ls -A -N --color=none -T 0 /usr/share/syslog-ng/include/scl/

The two sessions were exactly the same, but from the logs of the second session we can see that a lot more is going on. At first it might be scary, but most of the lines are just commands running from the bash profile, except for the last two.

Enabling JSON formatting gives you additional information in the logs. Here I show a single log message: JSON formatted logs would fill many pages :-)

Aug 30 13:29:28 czplaptop sudo[11740]: @cee:{"sudo":{"accept":{"uuid":"18f25b2438-0c44-ddaf-a264-c70998d319","server_time":{"seconds":1630322968,"nanoseconds":124534283,"iso8601":"20210830112928Z","localtime":"Aug 30 11:29:28"},"submit_time":{"seconds":1630322965,"nanoseconds":357407987,"iso8601":"20210830112925Z","localtime":"Aug 30 11:29:25"},"submituser":"czanik","command":"/usr/bin/joe","runuser":"root","runcwd":"/home/czanik","ttyname":"/dev/pts/1","submithost":"czplaptop","submitcwd":"/home/czanik","runuid":0,"columns":80,"lines":24,"runargv":["joe","/etc/issue"],"runenv":["LANG=en_US.UTF-8","COLORTERM=truecolor","TERM=xterm-256color","MAIL=/var/mail/root","PATH=/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin:/usr/local/sbin","LOGNAME=root","USER=root","HOME=/root","SHELL=/bin/bash","SUDO_COMMAND=/usr/bin/joe /etc/issue","SUDO_USER=czanik","SUDO_UID=1000","SUDO_GID=100"]}}}

What is next?

You learned the advantages of logging sub-commands. Read the docs to learn about command interception. If you run into any problems, report them to the sudo-workers mailing list.

If you would like to be notified about new posts and sudo news, sign up for the sudo blog announcement mailing list.