 Hi, everyone Please welcome here at the last talk of the security dev room at this first damn conference and Please give warm applause to better Chanik or is it okay? With it start what you most likely did not know about Hi, good evening, can you hear me? Okay So First let me give you a quick overview what I will be talking about I will try to define what is sudo Even if most of you use it all the time then Give a quick overview of interesting features features of sudo from aliases to plugins and Finally, I will show you what is coming up in sudo 1.9. A beta is already Available for this So what is sudo? I didn't know much about sudo just like everyone else up until about a year ago when I learned that Todd Miller Maintainer of sudo became my colleague through an acquisition So I started to learn about it and I was quite surprised how much it knows and then I started to ask People at conferences and different events what they know about sudo and I got quite interesting answers most of the people Answered that it's a tool to complicate life and Well, you have the root user so why not login as root or why not use su? So it's a valid answer especially from desktop users But even the most seasoned administrators often answer that well, it's a prefix for every administrative comments and only where if you Answered that you can see who did what or even more advanced features So what is sudo at least according to the sudo website? It's an It allows system administrators to delegate authority by giving certain users the ability to run some comments as root another user While providing an audit trail of the comments and their arguments so a lot more than just the prefix as you can hand out Permissions pretty much fine tune and a lot more as you will see soon It can even help you to get a sandwich If we can do it as xkcd So if you take a look at the basic sudoers file, you will see a line like this That members of the real group can do practically everything the columns in this case are who where As which user and which comment can be executed of course it's pretty good as a basic Configuration as at least you see in your log messages who is doing what but most of you you will also want to limit your users what they can do and Once you have More users more comments to limit and so on then you will start to replay You to create lists and you can replace any of these Columns with lists a list of users a list of hosts and so on But after a while, it's getting a bit difficult to maintain and this is where elias is come handy using elias is you can replace lists with elias is which can Simplify your configuration and make it a lot less a role for just think about what happens when you remove a User from most places, but not everywhere if you have a single list to maintain Then it's a lot more easy So here here are some examples a host elias with web servers a user areas with administrators and the command elias to Reboot your system See you with comes with a huge list of defaults You can change it with the Default setting in your configuration in the in your two dollars file here are some examples to override Which path is considered secure which environment variables to keep or if you want to insult your users actually This line here means that it's disabled for User for users, but you can be a lot more specific in your configuration in this case Insults is enabled only for the real group So what are insults? Seasoned sister means know it remember remember this even if it's not default setting anymore if you miss type of password pseudo can print some funny messages, but even Myself, I just left on it, but some people are more sensitive and As these messages are not always politically correct these are disabled now by default Digest verification You can Store digest of applications in the pseudo earth file meaning that any time you start the command Sudo Comparse the stored version with the freshly calculated version of the digest and can prevent modified binaries from running Maintaining this in the pseudo earth file can be quite Painful I think on the other hand it gives you another additional layer of protection Another lesser known feature is session recording anything happening on your screen You can record it Actually, it's called IOLOX as Input and output can record it as well and of course it can also play it back Just like a movie. So even if you have to hand out Shell access to your users. You can see what is happening which comments were executed These recordings are difficult to modify unlike syslog messages as these They are not stored as clear text on the other hand if you have if a user has too much permission They are easy to delete us right now. They are only saved locally, but stay tuned Starting with version 1.8 of Sulu it's based on a plug-in based architecture Which means that even the most basic features of Sulu are Implemented as plugins and you can extend or replace Sulu functionality With your own code There are both open source and commercial plugins available for Sulu Here I want to show you just one among the from the many it's called Sulu pair Which can make sure that no user can enter comments on their own then there needs to be another user who approves the comments and The approver can watch In a terminal what is happening and Terminate the session if something suspicious on the screen on the other hand This of this plug-in is developed in Rust Which is a kind of difficult to package So it's Difficult, but I have it here So let's let's see how it works When I entered my password It prints the Sulu approve and two numbers the numbers are A User ID and a process ID and the approver in the left-hand side terminal needs to enter these numbers So let's see and This time I decided to reject it and No harm was done Oops, sorry So this is what I wanted to show So let's go back to the approved situation Yes So let's do something list And then Entering a nice comment on the right-hand side What the left-hand side the administrator who approves and follows this session. Oh, that's I don't want to happen So quickly It's control D on the left-hand side and When the poor guy on the right-hand side tries to raise the left my laptop Well, I hit enter but nothing happened and kicked out So let's go back to my talk and my laptop is not erased a Bit about configuring Sulu the configuration is stored in ETC sudoers and You should not edit it directly but use vi sudo if you don't as it does syntax checking If you don't have vi you can easily replace the editor using the editor environment variable you When you are experimenting with sudo learning how to configure it make sure that you know know the root password Yes, even on you won't do us. It's quite easy to create a config which is syntactically correct, but When you save it you are not able to do anything anymore The configuration itself is red from top to the bottom so you should start with Generic settings and at the exceptions at the end Here is a typical To do sudoers configuration. I just removed the comments from it. It's from sent to us it's You see that lots of defaults are changed Then the usual root and the real group can do everything and then here we change a few stuff first we enable Insults for the real group, but disable it for everyone else and Logout would means that we do session recording There was a common mistake on the previous in the previous configuration What is it? What do you think? Yes, you should switch the two lines as this way you Enable insults for the real group, but then disable for everybody. So it's not what you are you wanted to do Obviously when you have more than one machine you want to do some Center management for your sudoers configuration Pepit and civil chef salt whatever all have some support for To do configuration But all have some kind of limitation like the configurations are not updated in real time If your users have shell access they can edit the sudoers file so users can modify the settings locally and often not They don't do profile error checking which which means that you can easily lock yourself out There is a possibility There is another possibility for Center management sudo that you can store configuration in LDAP Which has the advantage that the configuration propagates in real time It and it cannot be modified locally as it stored Remotely in on a server on the other hand it has quite a few limitations like you cannot use aliases and If your LDAP server is an accessible then you cannot use sudo so It's up to you what you use And often an important but often Overlook feature of sudo is logging and alerting sudo itself can create your email alerts Based on the configuration When you want to receive alerts and it stores It locks all events to syslog just make sure that Your syslog messages are collected centrally. Otherwise, it's easy to delete them if you are using syslog ng for collecting sudo log messages then sudo logs are parsed automatically so it's very easy to create alerts based on sudo messages And sent to Slack or Splunk or many other cloud services If you are lucky, then you never you will never have to use debug logs as these are used to debug Sudo rules or to report problems A few words about syslog ng as I'm coming from the syslog ng team It's logging them on with a focus on portability and hyper-formal central or collection and My initial advice when it comes to configuring it that don't panic It's simple and logical even if it looks difficult at first sight and often at the second time as well It has a pipeline model With many different building blocks Sources destination and destinations filters and so on and all of these can be connected together using Into a pipeline using log statements Here just to scare you Very simple configuration which Is Generic for warlog messages The configuration starts with a version number You can comment in it have some global options and here we have the building blocks I mentioned a source a destination and the filter and finally a log statements Which connects these together? No to the sudo bits Here is a filter to To filter on sudo messages and by destination To store in json format so you can see all of the fields parsed from log messages and Destination to send log messages to slack It's pretty easy you practically you need to know only a URL and that's all Here is the heart of the configuration I mentioned that sudo logs are automatically parsed by Cisloganji, so there is no parser in this configuration But in the log statement you see the source that the sudo filter and if my username appears in the Subject field of the Log then The log is sent to slack And here you can see a Nice screenshot and any sudo comments executed by me are Visible here, so you can follow in real time what is done by your users So what is coming to sudo? 1.9 It's still under development, but some of the features are already Ready and ready to very for testing The first one is the recording service The odd audit plug-in using the other plug-in you will be able to Get any log messages out from sudo But it's not a user visual visual feature feature, but something you can use from your own plugins from Python or See The approval plug-in framework is something similar to what you have seen In the sudo pair demo That you will be able to approve sessions From within from sudo without any external applications and my absolute favorite is that you can extend Python sudo with Python scripts So what is the recording service? I mentioned that if a log is stored locally and you give too much permissions to your users, then they can delete their log messages, but not with the recording service as Anything happening on the terminal is streamed in real time and securely to the recording service It's Convenient as you have a single place to view all of your sudo sessions It's also availability as even when the sending machine is down. You can check What happened there and it's also security as users cannot delete their traces Python support means that you can extend In sudo using Python The plug-in embeds a Python interpreter It is using the same API as the C-based plug-in plugins, you can see the documentation the URL to the documentation the differences that with the C-based plugins you need a development environment and it's quite difficult to package and distribute this If you write Python code, you can easily distribute that code even with your configuration management system and there is no need for the development environment Compilation or whatever Let me give you a quick demo of this here on the Left-hand side you can see very simple Python code which practically checks receives it's based on the Iolog or session recording part that it receives all of the what what is happening on screen and You can match if my secret is appearing on screen and Break the session if it appears on the screen and here under the root directory, I have a directory called do not enter and under that I have a directory called my secret and Let's see what happens if I On the right-hand side now start sudo change to the root directory List it. Oh, there is a do not enter directory. It's definitely interesting and Sorry So As you could see sudo is not just a prefix but a lot more If 1.8 had fine-tuned permissions Plots of fine-tuning possibilities session recording elder based configuration and plug-in support and 1.9 will extend it a lot more with new API's such a central session recording and Python plug-in and do you have any questions? Hi, why on some setups like for example standard Ubuntu on AWS whenever you do a sudo It has to resolve your DN your hostname and if it doesn't match it has to wait for the time out Let's come back somewhere here At the very beginning All rules or at least most of the rules have a hostname Hostname check in it even if it's all it means that it's checking some hostname Could have it not check if it's all There might be an option for it Actually, I never had to use it, but I can check it for you. Thank you. And if it's not there I will open a feature request us and it will be Implementation ingress Welcome