Sudo 1.9.16 is now out, containing mostly bug fixes. However, there are also some new features, like the json_compact option I wrote about a while ago. The other major change is, secure_path is now enabled by default in the sudoers file, and there is a new option to fine-tune its content.

As usual, operating systems usually lag behind with sudo versions. If your OS does not have yet 1.9.16 or later, there is a good chance that you can find a ready to use installer on the sudo website at https://www.sudo.ws/getting/download/#binary.

Version 1.9.16 of sudo will introduce a new logging option: json_compact. This does not affect logging to syslog, only logging to files. Previously, sudo created human-readable JSON log files. With this new setting enabled, logs are no longer pretty but can be easily read by logging software.

As I am writing this blog, version 1.9.16 is not yet released, not even a beta. For now, if you want to test this feature, you will have to compile sudo yourself from source. Once 1.9.16 is released, it will be available here on the sudo website as ready to install package for major Linux and UNIX variants. And eventually it will officially become available in various operating systems.

Version 1.9.15 of sudo gives more detailed information when using the -ll option. For commands, it adds the rule that allows it. Without a command parameter, it lists rules affecting a given user. It also prints which file contains the given rule, making debugging easier.

Unless you are using a rolling Linux distribution, there is a good chance that sudo 1.9.15 is not yet available for your system. Luckily the sudo project provides you with easy to use binary packages for many popular Linux distributions and UNIX variants. Check https://www.sudo.ws/getting/packages/ to see if your system is supported. If not, you can still build sudo from source.

Version 1.9.13 of sudo adds the list pseudo-command. Previously, only root or a user with the ability to run any command as either root or the target user could list privileges. Using the list pseudo-command it is possible to list the privileges of another user without any additional privileges, thus tightening security even more.

Unless you are using a rolling Linux distribution, there is a good chance that sudo 1.9.13 is not yet available for your system. Luckily the sudo project provides you with easy to use binary packages for many popular Linux distributions and UNIX variants. Check https://www.sudo.ws/getting/packages/ to see if your system is supported. If not, you can still build sudo from source.

One of the recurring questions at conferences was whether there is a way to check cached sudo credentials without updating them. Version 1.9.12 of sudo introduces the -N option which makes this possible, and also allows running any commands without updating the cached credentials.

The -N option was introduced in sudo version 1.9.12. There is a good chance that your choice of operating system still has an older version of sudo. You can easily compile sudo from source, however, using pre-built binary packages is even easier. Luckily the sudo website has a large collection of easy to use binary packages for many popular operating systems.

Sudo is one of the most used command line tools in the Linux / UNIX / macOS world. It gives users the ability to execute commands as another user. Most often it is used to gain root (administrator) privileges. Sudo was created when there were a small number of independent large systems. Some support for multiple hosts, central management and monitoring were later added to it. These tools do their jobs, however large enterprises require ease of use, reporting and monitoring.

Version 1.9.8 of sudo introduced support for logging and intercepting sub-commands. These features quickly became very popular. The original implementation is portable, however it also has a number of limitations. Version 1.9.11 of sudo introduced an alternative, Linux-specific, implementation that allows sudo to detect sub-commands in even more situations.

Version 1.9.11 of sudo was released very recently. There is a good chance that your OS of choice still has an earlier version. If you use one of the more popular Linux distributions, ready-to-install sudo packages are available on the sudo website at https://www.sudo.ws/getting/packages/.

There are situations where you cannot avoid giving a user full shell access through sudo. A shell with administrative privileges gives complete control over your hosts. Until recently, sudo could only log the start of the shell, not the commands executed within it. You could record sessions with sudo, but watching recordings is boring, time consuming and can still be subverted. Version 1.9.8 introduced logging of sub-commands, but that is not yet available on many systems. An alternate approach is to use auditd to log commands started from a root shell.

Sudo had many features to help blue teams in their daily job even before 1.9 was released. Session recordings, plugins and others made sure that most administrative access could be controlled and problems easily detected. Version 1.9 introduced Python support, new APIs, centralized session recordings, however some blind spots still remained. Learn how some of the latest sudo features can help you to better control and log administrative access to your hosts. You will learn about JSON logging in sudo, chroot support, logging sub-commands, and how to work with these logs in syslog-ng.

Session recording has been available in sudo for many years, however not many people are aware of it. Even less well-known is that you can save not just the terminal output, but also what the user types. That way you can analyze what the user is doing within a shell session. Recordings may also include user passwords, which is not always desirable. Version 1.9.10 of sudo allows you to hide passwords in session recordings if it recognizes a password entry.