Development / Security

Sudo Update Offers Python Plug-Ins, Extended Logging, Auditing

13 May 2020 10:11am, by

Originally shorthand for “superuser do,” Sudo is a command familiar to anyone who has spent any time using a Linux or Unix-based operating system, but these days the project originally developed more than 40 years ago at State University of New York Buffalo is far more than a way to run a command as the root user. Another explanation offered for the portmanteau comes as “substitute user do,” which more closely describes the project’s modern functionality, although even there it falls short.

For the past 25 years, Todd Miller has been the maintainer for the Sudo project, which has been sponsored for the last decade by his employer One Identity, which, according to the project’s history page, “enabled the addition of I/O logging, the plugin interface, additional regression tests, support for binary packages and more regular releases.”

When Miller took over as maintainer, Sudo was version 1.3, and this week sees the release of Sudo 1.9, which offers a number of enhancements around centralized logging, auditing and command approval, as well as the ability to write third-party Sudo plugins in Python rather than C.

As hinted at by the improvements offered in the latest version of Sudo, the project does far more than simply allow single-user Linux operators to install a package or delete a file they might otherwise be unable to delete. Instead, Miller said, Sudo has long been used by enterprises and other large organizations “to give more fine-grain control and have control over who’s allowed to do what and with which privileges.” In fact, beyond the open source Sudo project, One Identity also offers a commercial project, the Privilege Manager for Sudo, which is a part of the company’s broader  Privileged Access Suite for Unix and identity access management (IAM) offerings.

Looking at Sudo 1.9, Miller explained that one of the primary features involved centralized logging, which extends a feature introduced in Sudo 1.8 that would log keystrokes and related output, by including a log server that can be used to consolidate and simplify logging. Sudo 1.9 also introduces just-in-time command approval, which gives administrators the option to enable just-in-time authorizations for Sudo commands, and rich auditing, which allows third-party software providers to use the audit plugin to write a third-party plugin to pull detailed data from Sudo sessions.

Beyond these features, however, Tyler Reese, a senior product engineer at One Identity, said that the addition of Python as a supported language for Sudo plug-ins was really a key focus.

“I always tease that Todd lives and breathes in C, but most of the IT people that are playing with this don’t. I think that it really democratizes the ability to write plugins when we move it to Python, because that’s just the language of choice for the IT analyst and the security analyst user personas,” said Reese.

Up until now, Reese said, the number of plugins written for Sudo could be counted on one hand, though he said that the payment app Square was among them, having written a Sudo plugin in Rust to help it meet its various compliance requirements. In the future, Reese said, One Identity hopes to become a centralized hub of new plugins for Sudo, which he expects to grow with the introduction of Python support. One example of a plugin, Reese offered, was using biometric analysis of a user’s typing via a Sudo plugin to determine if someone has physically hijacked their workstation, though, more commonly, a plugin might simply offer a connection to some logging or ticketing software.

Looking ahead, Reese said that One Identity will be taking further advantage of this plugin architecture, with an integration with its Safeguard for Privileged Analytics product, wherein the next three to four months a Sudo user will be able to “send their Sudo audit data to our centralized audit product, and then we’ll be able to give them a really nice dashboard of the different audit logs, the different users, what they’re doing, and be able to add behavioral analytics against that.”

A newsletter digest of the week’s most important stories & analyses.