Python support arrives in Safeguard for Sudo
Version 1.9 of sudo was released almost two years ago. One of the major new features was support for Python plugins. Previously, you could only extend sudo by coding in C to better suit your environment, which is not the easiest task to manage. Python makes both coding and distributing the results easier. Starting with Safeguard for Sudo 7.2, Python support is also available in an enterprise sudo management solution.
If you are a returning sudo blog reader, you might recall quite a few Python-related APIs in my blogs. Two of them are supported by Safeguard for Sudo:
- Approval plugin
- Audit plugin
What are these good for?
The approval plugin API was introduced in sudo 1.9 and lets you create additional policies. These are checked once a command has been accepted by the sudoers policy. You can create plugins either in C or Python. For example you can create additional restrictions based on time and limit your workers to execute commands only during regular working hours.
Just like the approval plugin API, the audit plugin API was also introduced in sudo version 1.9. It allows you to access additional audit information. It can be used in many ways. For example implement custom logging to debug some hard to identify problems. Or you can send events from Safeguard for Sudo directly to Elasticsearch or send alerts to various instant messaging systems.
On the Safeguard for Sudo side you need to have at least version 7.2 in order to be able to utilize Python plugin support. Because Safeguard for Sudo reuses the sudo Python plugin, you will also need sudo 1.9 or higher with Python support enabled on the policy server. However, many Linux distributions, especially the long term support versions, only provide sudo 1.8. You can download up-to-date packages from the sudo website.
On the client side, you need at least sudo version 1.8.1. The reason you don’t need 1.9 or higher on the client is the policy plugin you install with the solution does the work of sending approval and audit requests back to Safeguard for Sudo.
If you used Python support in sudo previously, you will see that enabling Python plugins in Safeguard for Sudo is slightly different. First of all, instead of editing the sudo.conf file, loading plugins is part of the policy. The format is also changed a bit to better suit the policy file format.
Here is how it looked in sudo.conf:
Plugin python_approval python_plugin.so \
ModulePath=/root/example_approval_plugin.py \
ClassName=BusinessHoursApprovalPlugin
And here is how you load the same Python script from the Safeguard for Sudo policy:
Defaults plugins += "python_approval python_plugin.so \
ModulePath=/root/example_approval_plugin.py \
ClassName=BusinessHoursApprovalPlugin"
You can find the Python code on GitHub alongside the sudo source code: https://github.com/sudo-project/sudo/blob/main/plugins/python/example_approval_plugin.py
Obviously, this is just sample code to demonstrate how to use the approval plugin API from Python. Once enabled, you will be able to execute commands only during regular working hours. As usual, have the root password available while experimenting with Python plugins. It is easy to permanently shut yourself out from your systems.
I hope my blog whets your appetite and now you want to try Python in Safeguard for Sudo yourself. You can read more about this topic in Safeguard for Sudo documentation:
You can also find more inspiration from my sudo 1.9 blogs. Just remember that you need to change how the plugin is loaded. Here are a few examples:
If you do not have yet Safeguard for Sudo to manage sudo centrally and monitor your users, learn more about it and apply for a trial at https://www.oneidentity.com/products/one-identity-safeguard-for-sudo/.
If you would like to be notified about new posts and sudo news, sign up for the sudo blog announcement mailing list.