Presented by:

Peter Czanik

from Balabit

Peter is a system engineer working as community manager at BalaBit, the company behind the syslog-ng logging daemon. He helps distributions to maintain the syslog-ng package, follows bug trackers, helps syslog-ng users, and talks regularly at conferences (SCALE, FOSDEM, Libre Software Meeting, LOADays, etc.). In his limited free time he is interested in non-x86 architectures, and works on one of his PPC or ARM machines.

No video of the event yet, sorry!

Sudo is used by millions to control and log administrator access to systems, but using only the default configuration, there are plenty of blind spots. Using the latest features in sudo lets you watch some functions that previously were blind spots and you can also control access to them. There were several minor and major changes since the 1.9.0 release that I discussed in my previous FOSDEM talks. Here are the four major new features allowing you see your blind spots:

  • instead of giving full shell access, you can fine-tune the working directory and chroot settings
  • JSON-formatted logs give you more details on events and are easier to act on
  • relays in sudo_logsrvd make session recording collection more secure and reliable
  • you can log and control sub-commands executed by the command that is run through sudo

Previously, there were quite a few situations where you had to give users full shell access through sudo. Typical examples are when you run a command from a given directory, or run commands in a chroot environment. You can now configure the working directory or the chroot directory and give access only to the command the user really needs.

Logging is one of the main roles of sudo, to see who did what on the system. Using JSON-formatted log messages gives you even more information about events. Also, structured logs are easier to act on. Setting up alerting for suspicious events is much easier when you have a single parser to configure for any kind of sudo logs. You can collect sudo logs not only by local syslog, but also by using sudo_logsrvd, the same application used to collect session recordings.

Speaking of session recordings: instead of using a single central server, you can now have multiple levels of sudo_logsrvd relays between the client and the final destination. This allows session collection even if the central server is unavailable, providing you with additional security. It also makes your network configuration simpler.

Finally, you can log sub-commands executed from the command issued through sudo. You can see commands started from a shell. No more unnoticed shell access from text editors. And, best of all: you can also intercept sub-commands.

2022 June 3 - 16:45
40 min
New Technologies

Happening at the same time:

  1. Uyuni Saltboot - automated image deployment and lifecycle with Uyuni
  2. Start Time:
    2022 June 3 16:45

    Seminarraum 1