Sudo for blue teams: how to control and log better

@cee

Defaults log_format=json
Defaults log_subcmds
Defaults:%wheel runchroot=*
Defaults log_input, log_output
Defaults !log_passwords

Jan 28 13:56:27 localhost.localdomain sudo[10419]:   czanik : TTY=pts/0 ;
    PWD=/home/czanik ; USER=root ; COMMAND=/bin/bash

Jan 28 13:58:20 localhost.localdomain sudo[10518]: @cee:{"sudo":{"accept":{"uuid":"616bc9efcf-b239-469d-60ee-deb5af8ce6",
    "server_time":{"seconds":1643374700,"nanoseconds":222446715,"iso8601":"20220128125820Z","localtime":"Jan 28 13:58:20"},
    "submit_time":{"seconds":1643374700,"nanoseconds":209935349,"iso8601":"20220128125820Z","localtime":"Jan 28 13:58:20"},
    "submituser":"czanik","command":"/bin/bash","runuser":"root","runcwd":"/home/czanik","ttyname":"/dev/pts/0",
    "submithost":"localhost.localdomain","submitcwd":"/home/czanik","runuid":0,"columns":118,"lines":60,
    "runargv":["/bin/bash"],"runenv":["LANG=en_US.UTF-8","HOSTNAME=localhost.localdomain","SHELL=/bin/bash",
    "TERM=xterm-256color","PATH=/home/czanik/.local/bin:/home/czanik/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin",
    "MAIL=/var/mail/root","LOGNAME=root","USER=root","HOME=/root",
    "SUDO_COMMAND=/bin/bash","SUDO_USER=czanik","SUDO_UID=1000","SUDO_GID=1000"]}}}

echo '{"sudo":{"accept":{"uuid":"616bc9efcf-b239-469d-60ee-deb5af8ce6",
       "server_time":{"seconds":1643374700,"nanoseconds":222446715,"iso8601":"20220128125820Z","localtime":"Jan 28 13:58:20"},
       "submit_time":{"seconds":1643374700,"nanoseconds":209935349,"iso8601":"20220128125820Z","localtime":"Jan 28 13:58:20"},
       "submituser":"czanik","command":"/bin/bash","runuser":"root","runcwd":"/home/czanik",
       "ttyname":"/dev/pts/0","submithost":"localhost.localdomain","submitcwd":"/home/czanik",
       "runuid":0,"columns":118,"lines":60,"runargv":["/bin/bash"],"runenv":[
         "LANG=en_US.UTF-8","HOSTNAME=localhost.localdomain","SHELL=/bin/bash","TERM=xterm-256color",
         "PATH=/home/czanik/.local/bin:/home/czanik/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin",
         "MAIL=/var/mail/root","LOGNAME=root","USER=root","HOME=/root","SUDO_COMMAND=/bin/bash",
         "SUDO_USER=czanik","SUDO_UID=1000","SUDO_GID=1000"]}}}' | jq

{
  "sudo": {
    "accept": {
      "uuid": "616bc9efcf-b239-469d-60ee-deb5af8ce6",
      "server_time": {
        "seconds": 1643374700,
        "nanoseconds": 222446715,
        "iso8601": "20220128125820Z",
        "localtime": "Jan 28 13:58:20"
      },
      "submit_time": {
        "seconds": 1643374700,
        "nanoseconds": 209935349,
        "iso8601": "20220128125820Z",
        "localtime": "Jan 28 13:58:20"
      },
      "submituser": "czanik",
      "command": "/bin/bash",
      "runuser": "root",
      "runcwd": "/home/czanik",
      "ttyname": "/dev/pts/0",
      "submithost": "localhost.localdomain",
      "submitcwd": "/home/czanik",
      "runuid": 0,
      "columns": 118,
      "lines": 60,
      "runargv": [
        "/bin/bash"
      ],
      "runenv": [
        "LANG=en_US.UTF-8",
        "HOSTNAME=localhost.localdomain",
        "SHELL=/bin/bash",
        "TERM=xterm-256color",
        "PATH=/home/czanik/.local/bin:/home/czanik/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin",
        "MAIL=/var/mail/root",
        "LOGNAME=root",
        "USER=root",
        "HOME=/root",
        "SUDO_COMMAND=/bin/bash",
        "SUDO_USER=czanik",
        "SUDO_UID=1000",
        "SUDO_GID=1000"
      ]
    }
  }
}

filter f_sudo {
  program(sudo);
};
destination d_sudo {
  file("/var/log/sudo");
};
log {
  source(s_sys);
  filter(f_sudo);
  destination(d_sudo);
};

filter f_sudo {
  program(sudo);
};
destination d_sudo {
  file("/var/log/sudo" template("$(format-json --scope rfc5424 --scope dot-nv-pairs
       --rekey .* --shift 1 --scope nv-pairs --exclude MESSAGE --exclude .journal*)\n\n"));
};
log {
  source(s_sys);
  filter(f_sudo);
  destination(d_sudo);
};

{"cee":{"sudo":{"accept":{"uuid":"e6da96eb4d-e494-4fa2-2270-f13d79969d","ttyname":"/dev/pts/0",
 "submituser":"czanik","submithost":"localhost.localdomain","submitcwd":"/home/czanik",
 "submit_time":{"seconds":"1643380947","nanoseconds":"462682022","localtime":"Jan 28 15:42:27","iso8601":"20220128144227Z"},
 "server_time":{"seconds":"1643380947","nanoseconds":"477977979","localtime":"Jan 28 15:42:27","iso8601":"20220128144227Z"},
 "runuser":"root","runuid":"0","runenv[9]":"SUDO_COMMAND=/bin/bash","runenv[8]":"HOME=/root",
 "runenv[7]":"USER=root","runenv[6]":"LOGNAME=root","runenv[5]":"MAIL=/var/mail/root",
 "runenv[4]":"PATH=/home/czanik/.local/bin:/home/czanik/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin",
 "runenv[3]":"TERM=xterm-256color","runenv[2]":"SHELL=/bin/bash","runenv[1]":"HOSTNAME=localhost.localdomain",
 "runenv[12]":"SUDO_GID=1000","runenv[11]":"SUDO_UID=1000","runenv[10]":"SUDO_USER=czanik",
 "runenv[0]":"LANG=en_US.UTF-8","runcwd":"/home/czanik","runargv[0]":"/bin/bash","lines":"60",
 "command":"/bin/bash","columns":"118"}}},"app":{"name":"cee"},"SOURCE":"s_sys","PROGRAM":"sudo",
 "PRIORITY":"notice","PID":"13575","HOST_FROM":"localhost","HOST":"localhost.localdomain",
 "FACILITY":"authpriv","DATE":"Jan 28 15:42:27"}

{"cee":{"sudo":{"accept":{"uuid":"08324acc5d-353a-488b-cc6f-dc4c6e83e0","ttyname":"/dev/pts/0",
 "submituser":"czanik","submithost":"localhost.localdomain","submitcwd":"/home/czanik",
 "submit_time":{"seconds":"1643382369","nanoseconds":"161685861","localtime":"Jan 28 16:06:09","iso8601":"20220128150609Z"},
 "server_time":{"seconds":"1643382369","nanoseconds":"187055637","localtime":"Jan 28 16:06:09","iso8601":"20220128150609Z"},
 "runuser":"root","runuid":"0","runenv[9]":"SUDO_COMMAND=/bin/bash","runenv[8]":"HOME=/root",
 "runenv[7]":"USER=root","runenv[6]":"LOGNAME=root","runenv[5]":"MAIL=/var/mail/root",
 "runenv[4]":"PATH=/home/czanik/.local/bin:/home/czanik/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin",
 "runenv[3]":"TERM=xterm-256color","runenv[2]":"SHELL=/bin/bash","runenv[1]":"HOSTNAME=localhost.localdomain",
 "runenv[12]":"SUDO_GID=1000","runenv[11]":"SUDO_UID=1000","runenv[10]":"SUDO_USER=czanik",
 "runenv[0]":"LANG=en_US.UTF-8","runcwd":"/home/czanik","runchroot":"/","runargv[0]":"/bin/bash",
 "lines":"60","command":"/bin/bash","columns":"118"}}},"app":{"name":"cee"},"SOURCE":"s_sys",
 "PROGRAM":"sudo","PRIORITY":"notice","PID":"14378","HOST_FROM":"localhost","HOST":"localhost.localdomain",
 "FACILITY":"authpriv","DATE":"Jan 28 16:06:09"}

filter f_sudo {
  program(sudo);
};
destination d_sudo {
  file("/var/log/sudo" template("$(format-json --scope rfc5424 --scope dot-nv-pairs
       --rekey .* --shift 1 --scope nv-pairs --exclude MESSAGE --exclude .journal*)\n\n"));
};
log {
  source(s_sys);
  filter(f_sudo);
  if (match("/" value(".cee.sudo.accept.runchroot"))) {
    destination { file("/var/log/sudo_danger" template("$(format-welf --key DATE
                  --key .cee.sudo.accept.submituser)\n")); };
    # ToDo: change to a slack or smtp destination
  };
  destination(d_sudo);
};

{"cee":{"sudo":{"accept":{"uuid":"be17d7da37-3c6d-4cb8-38c1-11a771e0aa","ttyname":"/dev/pts/0",
 "submituser":"czanik","submithost":"localhost.localdomain","submitcwd":"/home/czanik",
 "submit_time":{"seconds":"1643385098","nanoseconds":"329198052","localtime":"Jan 28 16:51:38","iso8601":"20220128155138Z"},
 "server_time":{"seconds":"1643385098","nanoseconds":"352045133","localtime":"Jan 28 16:51:38","iso8601":"20220128155138Z"},
 "runuser":"root","runuid":"0","runenv[9]":"SUDO_COMMAND=/bin/bash","runenv[8]":"HOME=/root",
 "runenv[7]":"USER=root","runenv[6]":"LOGNAME=root","runenv[5]":"MAIL=/var/mail/root",
 "runenv[4]":"PATH=/home/czanik/.local/bin:/home/czanik/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin",
 "runenv[3]":"TERM=xterm-256color","runenv[2]":"SHELL=/bin/bash","runenv[1]":"HOSTNAME=localhost.localdomain",
 "runenv[12]":"SUDO_GID=1000","runenv[11]":"SUDO_UID=1000","runenv[10]":"SUDO_USER=czanik",
 "runenv[0]":"LANG=en_US.UTF-8","runcwd":"/home/czanik","runargv[0]":"/bin/bash","lines":"60",
 "command":"/bin/bash","columns":"118"}}},"app":{"name":"cee"},"SOURCE":"s_sys","PROGRAM":"sudo",
 "PRIORITY":"notice","PID":"15392","HOST_FROM":"localhost","HOST":"localhost.localdomain","FACILITY":"authpriv","DATE":"Jan 28 16:51:38"}

{"cee":{"sudo":{"accept":{"uuid":"be17d7da37-3c6d-4cb8-38c1-11a771e0aa","ttyname":"/dev/pts/0",
 "submituser":"czanik","submithost":"localhost.localdomain","submitcwd":"/home/czanik",
 "submit_time":{"seconds":"1643385098","nanoseconds":"329198052","localtime":"Jan 28 16:51:38","iso8601":"20220128155138Z"},
 "server_time":{"seconds":"1643385099","nanoseconds":"494292042","localtime":"Jan 28 16:51:39","iso8601":"20220128155139Z"},
 "runuser":"root","runuid":"0","runenv[9]":"SUDO_USER=czanik","runenv[8]":"HOME=/root",
 "runenv[7]":"SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass","runenv[6]":"PWD=/home/czanik",
 "runenv[5]":"USER=root","runenv[4]":"which_declare=declare -f","runenv[3]":"SUDO_COMMAND=/bin/bash",
 "runenv[2]":"HOSTNAME=localhost.localdomain","runenv[22]":"_=/usr/bin/ls",
 "runenv[21]":"BASH_FUNC_which%%=() {  ( alias;\n eval ${which_declare} ) | /usr/bin/which --tty-only --read-alias --read-functions --show-tilde --show-dot $@\n}",
 "runenv[20]":"LESSOPEN=||/usr/bin/lesspipe.sh %s","runenv[1]":"SUDO_GID=1000",
 "runenv[19]":"LD_PRELOAD=/usr/libexec/sudo/sudo_intercept.so",
 "runenv[18]":"PATH=/home/czanik/.local/bin:/home/czanik/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin",
 "runenv[17]":"LOGNAME=root","runenv[16]":"SUDO_INTERCEPT_FD=18","runenv[15]":"SHLVL=1",
 "runenv[14]":"SHELL=/bin/bash","runenv[13]":"TERM=xterm-256color","runenv[12]":"MAIL=/var/mail/root",
 "runenv[11]":"SUDO_UID=1000","runenv[10]":"XDG_DATA_DIRS=/root/.local/share/flatpak/exports/share:/var/lib/flatpak/exports/share:/usr/local/share:/usr/share",
 "runenv[0]":"LANG=en_US.UTF-8","runcwd":"/home/czanik","runargv[0]":"/usr/bin/ls","lines":"60",
 "command":"/usr/bin/ls","columns":"118"}}},"app":{"name":"cee"},"SOURCE":"s_sys","PROGRAM":"sudo",
 "PRIORITY":"notice","PID":"15392","HOST_FROM":"localhost","HOST":"localhost.localdomain","FACILITY":"authpriv","DATE":"Jan 28 16:51:39"}

Defaults log_input, log_output
Defaults !log_passwords

Sudo for blue teams: how to control and log better

Before you begin

Configuring sudo

Configuring syslog-ng

Alerting on chroot violations

Checking on sub-commands

Disabling password recording

What is next?