What you most likely did not know about sudo…
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
Title |
| |
Title of Series | ||
Number of Parts | 490 | |
Author | ||
License | CC Attribution 2.0 Belgium: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
Identifiers | 10.5446/47359 (DOI) | |
Publisher | ||
Release Date | ||
Language |
Content Metadata
Subject Area | ||
Genre | ||
Abstract |
|
00:00
Identity managementGoodness of fitComputer animation
00:36
Integrated development environmentSystem administratorPhysical systemRootkitTrailConfiguration spaceServer (computing)World Wide Web ConsortiumSmith chartDefault (computer science)PasswordBinary fileFormal verificationRevision controlFunction (mathematics)Source codeArchitectureSquare numberIntegrated development environmentConfiguration spaceComputer fileRow (database)Formal verificationLocal ringSystem administratorElectronic mailing listDefault (computer science)Group actionOpen sourceBitWeb 2.0Server (computing)Squeeze theoremMultiplication signLine (geometry)Cartesian coordinate systemoutputCASE <Informatik>Message passingTouchscreenError messageType theoryFunctional (mathematics)Different (Kate Ryan album)Plug-in (computing)Variable (mathematics)AliasingAuthorizationRadical (chemistry)Physical systemTrailEvent horizonSoftware maintenanceRevision controlParameter (computer programming)Beta functionBinary codeCodeComputer animation
08:40
Dilution (equation)Error messageSystem administratorRadical (chemistry)CoprocessorNumberComputer animationLecture/Conference
10:31
Text editorRootkitPasswordSample (statistics)Greatest elementException handlingAddress spaceVery long instruction wordData managementEvent horizonBlogRule of inferenceExplosionElasticity (physics)LoginFocus (optics)DemonInsertion lossGroup actionConfiguration spaceIntegrated development environmentEmailRootkitText editorData managementFocus (optics)Server (computing)Set (mathematics)Function (mathematics)PasswordMessage passingLoginGastropod shellLaptopArithmetic meanCentralizer and normalizerWordDefault (computer science)Event horizonProper mapCloud computingException handlingLine (geometry)Rule of inferenceRow (database)Data storage devicePortable communications deviceBitError messageComputer animation
15:44
BuildingEndliche ModelltheorieDifferent (Kate Ryan album)Computer animation
16:14
Revision controlComputer configurationPhysical systemSource codeStatement (computer science)Computer programBlock (periodic table)BuildingService (economics)ParsingPasswordData storage deviceConfiguration spaceBlock (periodic table)Real-time operating systemBuildingParsingRevision controlMessage passingComputer fileField (computer science)NumberComputer animation
18:08
Software frameworkService (economics)Streaming mediaCompilation albumIntegrated development environmentSoftware developerService (economics)Demo (music)Row (database)Integrated development environmentCartesian coordinate systemVirtual machineConfiguration managementExtension (kinesiology)Compilation albumBookmark (World Wide Web)Tracing (software)Scripting languageSoftware frameworkPlug-in (computing)Real-time operating systemInterpreter (computing)Radical (chemistry)Different (Kate Ryan album)Message passingCodeComputer animation
21:03
RootkitLocal GroupTouchscreenDirectory serviceRootkitRow (database)MathematicsElectronic mailing listMereologyLecture/ConferenceComputer animation
22:25
BlogPlug-in (computing)Centralizer and normalizerComputer animation
23:01
Standard deviationComputer animation
23:29
Proxy serverComputer configurationComputer animation
24:10
Point cloudFacebookOpen source
Transcript: English(auto-generated)
00:06
Hi, everyone. Please welcome here at the last talk of the Security Dev Room at this FOSDEM conference. And please give a warm applause to Peter Chanig.
00:23
Is it OK? With this talk, what you most likely did not know about SUGO. Hi, good evening. Can you hear me? OK. So first, let me give you a quick overview
00:40
of what I will be talking about. I will try to define what is SUGO, even if most of you use it all the time. Then give a quick overview of interesting features of SUGO from aliases to plugins. And finally, I will show you what
01:02
is coming up in SUGO 1.9. Beta is already available for this. So what is SUGO? I didn't know much about SUGO, just like everyone else, up until about a year ago when I learned that Todd Mueller, maintainer of SUGO,
01:23
became my colleague through an acquisition. So I started to learn about it. And I was quite surprised how much it knows. And then I started to ask people at conferences and different events what they know about SUGO. And I got quite interesting answers. Most of the people answered that it's
01:42
a tool to complicate life. And well, you have the root user. So why not log in as root? Or why not use SU? So it's a valid answer, especially from desktop users. But even the most seasoned administrators often
02:01
answer that, well, it's a prefix for administrative commands. And only very few answered that you can see who did what or even more advanced features. So what is SUGO? At least according to the SUGO website,
02:20
it allows system administrators to delegate authority by giving certain users the ability to run some commands as root, another user while providing an audit trail of the commands and their arguments. So a lot more than just a prefix. You can hand out permissions, pretty much fine-tuned,
02:43
and a lot more, as you will see soon. It can even help you to get a sandwich if we can do XKCD. So if you take a look at a basic sudoers file, you will see a line like this that members of the weird group
03:05
can do practically everything. The columns in this case are who, where, as which user, and which command can be executed. Of course, it's pretty good as a basic configuration,
03:22
as at least you see in your log messages who is doing what. But most likely, you will also want to limit your users, what they can do. And once you have more users, more commands to limit, and so on, then you will start to create lists.
03:44
And you can replace any of these columns with a list of users, a list of hosts, and so on. But after a while, it's getting a bit difficult to maintain. And this is where aliases come handy. Using aliases, you can replace lists
04:02
with aliases, which can simplify your configuration and make it a lot less error prone. Just think about what happens when you remove a user from most places, but not everywhere. If you have a single list to maintain, then it's a lot more easy.
04:22
So here are some examples, a host alias with web servers, a user alias with administrators, and a command alias to limit your system. Siri comes with a huge list of defaults.
04:42
You can change it with the default setting in your configuration, in your servers file. Here are some examples to override which path is considered secure, which environment variables to keep,
05:01
or if you want to insert your users. Actually, this line here means that it's disabled for users. But you can be a lot more specific in your configuration. In this case, insults is enabled only for the wheel group.
05:22
So what are insults? See that this means, remember this, even if it's not default setting anymore. If you miss type of password, sudo can print some funny messages. But even myself, I just laugh on it,
05:42
but some people are more sensitive, and as these messages are not always political core, and these are disabled now by default. Digest verification. You can store digest of applications in the sudoers file,
06:03
meaning that any time you start a command, sudo compares the stored version with the freshly calculated version of the digest, and can prevent modified binaries from running. Maintaining this in the sudoers file can be quite painful, I think.
06:23
On the other hand, it gives you an additional layer of protection. Another lesser known feature is session recording. Anything happening on your screen, you can record it. Actually, it's called IO-locked,
06:41
input and output can record it as well. And of course, it can also play it back, just like a movie. So even if you have to hand out shell access to your users, you can see what is happening, which commands were executed. These recordings are difficult to modify,
07:02
unlike syslog messages, they are not stored as clear text. On the other hand, if a user has too much permission, they are easy to delete. As right now, they are only saved locally. But stay tuned.
07:21
Starting with version 1.8 of sudo, it's based on a plugin-based architecture, which means that even the most basic features of sudo are implemented as plugins. And you can extend or replace
07:41
sudo functionality with your own code. There are both open source and commercial plugins available for sudo. Here, I want to show you just one from the many, it's called sudo pair, which can make sure that no user
08:01
can enter commands on their own. There needs to be another user who approves the commands. And the approver can watch in a terminal what is happening and terminate the session
08:20
if something suspicious on the screen. On the other hand, this plugin is developed in Rust, which is a kind of difficult to package, so it's difficult. But I have it here, so let's see how it works.
08:49
When I enter my password, it prints a sudo approve and two numbers. The numbers are a user ID and a processor ID,
09:01
and the approver in the left-hand side terminal needs to enter these numbers. So let's see. And this time, I decided to reject it, and no harm was done.
09:21
Oops, sorry. So this is what I wanted to show. So let's go back to the approved situation.
09:47
Yes. So let's do something list, fine, and then entering a nice command on the right-hand side.
10:01
What, the left-hand side, the administrator who approves and follows the session, oh, that's, I don't want to happen. So quickly hits control-D on the left-hand side, and when the poor guy on the right-hand side tries to erase my laptop, well, I hit enter,
10:26
but nothing happened, I'm kicked out. So let's go back to my talk. And my laptop is not erased.
10:43
A bit about configuring sudo. The configuration is stored in ETC sudoers, and you should not edit it directly, but use VI sudo. If you don't, as it does syntax checking, if you don't like VI, you can easily replace the editor
11:02
using the editor environment variable. When you are experimenting with sudo, learning how to configure it, make sure that you know the root password. Yes, even on Ubuntu. It's quite easy to create a config which is syntactically correct,
11:22
but when you save it, you are not able to do anything anymore. The configuration itself is read from top to the bottom, so you should start with generic settings and add the exceptions at the end.
11:42
Here is a typical sudoers configuration. I just removed the comments from it. It's from CentOS. You see that lots of defaults have changed.
12:00
Then the user root and the real group can do everything. And then here we change a few stuff. First, we enable inserts for the real group, but disable it for everyone else. And log output means that we do session recording.
12:25
That was a common mistake in the previous configuration. What is it? What do you think?
12:40
Yes, you should switch the two lines. This way, you enable inserts for the real group, but then disable for everybody. So it's not what you wanted to do. Obviously, when you have more than one machine, you want to do some center management
13:02
for your sudoers configuration. Pepit, Ansible, Chef, Salt, whatever, all have some support for sudo configuration, but all have some kind of limitation, like the configurations are not updated in real time.
13:24
If your users have shell access, they can edit the sudoers file, so users can modify the settings locally, and often, they don't do proper error checking,
13:40
which means that you can easily lock yourself out. There is another possibility for central management managing sudo, that you can store configuration in LDAP, which has the advantage that the configuration propagates in real time,
14:02
and it cannot be modified locally, as it's stored remotely on a server. On the other hand, it has quite a few limitations, like you cannot use aliases, and if your LDAP server is inaccessible, then you cannot use sudo,
14:20
so it's up to you what you use. An important but often overlooked feature of sudo is logging and alerting. sudo itself can create your email alerts based on the configuration when you want to receive alerts
14:41
and it stores, it logs all events to syslog. Just make sure that your syslog messages are collected centrally, otherwise it's easy to delete them. If you are using syslog-ng for collecting sudo log messages,
15:02
then sudo logs are parsed automatically, so it's very easy to create alerts based on sudo messages, and sent to Slack or Splunk or many other cloud services. If you are lucky,
15:21
then you will never have to use debug logs, as these are used to debug sudo rules or to report problems. A few words about syslog-ng, as I'm coming from the syslog-ng team. It's logging day one with a focus on portability
15:42
and high performance central log collection, and my initial advice when it comes to configuring it, then don't panic. It's simple and logical, even if it looks difficult at first sight and often at the second time as well. It has a pipeline model
16:01
with many different building blocks, sources, destinations, filters, and so on, and all of these can be connected together using into a pipeline using log statements. Here, just to scare you, there are very simple configuration,
16:22
which is pretty generic for war log messages. The configuration starts with the version number. You can comment on it, have some global options, and here we have the building blocks I mentioned, a source, a destination, and the filter,
16:42
and finally, a log statement, which connects these together. Now, to the pseudo bits, here is a filter to filter on pseudo messages, a file destination to store in JSON format,
17:04
so you can see all of the fields passed from log messages, and a destination to send log messages to Slack. It's pretty easy. Practically, you need to know only a URL, and that's all.
17:21
And here is the heart of the configuration. I mentioned that sudo blocks are automatically parsed by Syslogang, so there is no parser in this configuration, but in the log statement, you see the source, the sudo filter, and if my username appears in the subject field,
17:45
of the log, then the log is sent to Slack. And here you can see a nice screenshot, and any sudo comments executed by me are visible here.
18:02
So you can follow in real time what is done by your users. So what is coming to sudo 1.9? It's still under development, but some of the features are already ready, and ready for testing.
18:22
The first one is the recording service. The audit plugin, using the audit plugin, you will be able to get any log messages out from sudo, but it's not a user-visible feature,
18:44
but something you can use from your own plugins, from Python or from C. The approver plugin framework is something similar to what you have seen in the sudo pair demo,
19:04
that you will be able to approve sessions from sudo without any external applications. And my absolute favorite is that you can extend sudo with Python scripts.
19:22
So what is the recording service? I mentioned that if a log is stored locally, and you give too much permissions to your users, then they can delete their log messages. But not with the recording service, as anything happening on the terminal
19:41
is streamed in real time and securely to the recording service. It's convenient, as you have a single place to view all of your sudo sessions. It's also availability, as even when the sending machine is down, you can check what happened there, and it's also security,
20:02
as users cannot delete their traces. Python support means that you can extend sudo using Python, the plugin in Python interpreter.
20:23
It is using the same API as the C-base plugins. You can see the URL to the documentation. The difference is that with the C-base plugins, you need a development environment,
20:40
and it's quite difficult to package and distribute this. If you write Python code, you can easily distribute that code even with your configuration management system. And there is no need for a development environment compilation or whatever. Let me give you a quick demo of this.
21:05
Here on the left-hand side, you can see very simple Python code, which practically checks, receives, it's based on the dialogue
21:24
or session recording part that it receives out of what is happening on screen, and you can match if mysecret is appearing on screen and break the session if it appears on the screen.
21:43
And here, under the root directory, I have a directory called do not enter, and under that, I have a directory called mysecret. And let's see what happens if I, on the right-hand side now, start sudo,
22:03
change to the root directory, list it. Oh, there is a do not enter directory. It's definitely interesting. And, sorry.
22:29
So, as you could see, sudo is not just a prefix, but a lot more, 1.8 had fine-tune permissions, lots of fine-tuning possibilities, session recording,
22:45
LDAP-based configuration, and plugin support, and 1.9 will extend it a lot more with new APIs, central session recording, and Python plugin.
23:03
And do we have any questions? Hi, why on some setups, like, for example, standard Ubuntu on AWS, whenever you do a sudo, it has to resolve your hostname,
23:22
and if it doesn't match, it has to wait for a timeout. Let's come back somewhere here. At the very beginning, all rules, or at least most of the rules,
23:40
have a hostname checking it. Even if it's all, it means that it's checking some hostname. Could it not check if it's all? And bypass that? There might be an option for it. Actually, I never have to use it, but I can check it for you. Thank you. And if it's not there,
24:00
I will open a feature request us, and it will be implemented soon, I guess. Thank you. You are welcome.