Linux Sudo 1.9 released-more secure

The
You can download this article in PDF format to support us through the following link.

Download the guide in PDF format

turn off
The

The
The

Everyone who is proficient in Linux or Unix knows the functions provided by the sudo command in their toolbox. Once you have what is commonly referred to as “sudo rights”, you can roll and wield a big gun. You can issue all commands like a system administrator, launch all bullets and release all Linux / Unix swords. The powerful functionality provided by this simple command, One Identity, enabled the company to tirelessly improve the utility and launched sudo version 1.9, which has improved logging, auditing, risk awareness, and higher security.

With One Identity, sudo has the following new features:

1. The accompanying logging daemon sudo_logsrvd

This logging daemon can be used to implement centralized logging of input / output logs. For companies, this is especially a gold mine. With centralized logging, as far as using sudo is concerned, it is now easier to visualize what is happening in the server.

2. Support TLS

It is now possible to send logs to a centralized server via a secure TLS channel, thereby increasing security. This feature will be activated when sudo is configured with the –enable-openssl option.

The new sudo_sendlog utility can be used to test sudo_logsrvd or send existing sudo I / O logs to a centralized server.

3. Support audit plug-in types.

From the documentation, the audit plug-in receives acceptance, rejection, exit, and error messages, and can be used to implement custom logging independent of the underlying security policy. However, you can create third-party plug-ins and use them with this feature, such as viewing detailed information about sudo sessions and benchmarking them against policies within your organization. This will help implement best practices and provide rich auditing capabilities.

4. Support the approval of plug-in types.

If you have ever hoped that certain commands completed through sudo can be executed better after being authorized by the administrator, then you are lucky. Now you can write a custom plug-in that can be used with this approved plug-in so that you must grant authorization before or not execute certain commands. According to the documentation, only after the main security policy (eg sudoers) accepts the command to be run, run the approval plugin. Approval policies may perform other checks and may interact with users. You can specify multiple approval plugins in the sudo.conf file. This command is only allowed if all approved plugins are successful.

5. New Python support

Python support means that you can extend sudo with the same API, but when configuring sudo with the –enable-python option, you can use Python instead of C to write the plugin.

6. New PAM session settings

The new pam_ruser and pam_rhost sudoers settings can be used to enable or disable the setting of PAM remote user and / or host values ​​during the setting of a PAM session.

sudo and sudo_logsrvd now create extended input / output log information files in JSON format, which contain additional information about the command that was run, such as the environment (hostname) where the command was issued.

7. The Sudoreplay utility can now match the host name in list mode.

The sudoreplay utility is used to play or list the output logs created by sudo. During replay, sudoreplay can replay the session in real time. If a host name exists in the log file, the list output now also includes the host name.

8. Bug fix

As expected in the new software version, bugs have been fixed in the new sudo version. Some fixes include:

  • Fixed test failure in FreeBSD’s strsig_test
  • For sudo -i, if the target user’s home directory does not exist, sudo will now warn about the problem, but will run the command in the current working directory. Previously, this was a fatal error.
  • And others.

Reference: https://www.sudo.ws/stable.html#1.9.0

Closing remarks

The new sudo is impressive. Considering that it can be misused into fatal accidents, the new functions greatly improve the safety of the system and the entire system (depending on them). To mitigate the bad experience of using sudo in the past, please update the system to obtain a new version and configure it to meet your specific requirements. The above functions present significant changes, and some of them are not included. For a complete list of changes, Visit the sudo release page understand more.

Others read the following:

Protect your online business in 2019

5 useful tips for cloud business success

Install and configure Foreman 2.x on Debian 10 (Buster)

The
You can download this article in PDF format to support us through the following link.

Download the guide in PDF format

turn off
The

The
The

Sidebar