Sudo for Blue Teams: How to Control and Log Better
canopic jug writes:
The sudo project has a short article about fine tuning access and logging for sudo. Sudo can be used for fine grained access to system level utilities and functions, though some distros have made it infamous by intentionally misconfiguring it to stand in for su. Unfortunately the example in the above article comes dangerously close to that by granting root access to the shell, Bash. So the better parts of the article about logging and JSON should be focused on instead:
Sudo had many features to help blue teams in their daily job even before 1.9 was released. Session recordings, plugins and others made sure that most administrative access could be controlled and problems easily detected. Version 1.9 introduced Python support, new APIs, centralized session recordings, however some blind spots still remained. Learn how some of the latest sudo features can help you to better control and log administrative access to your hosts. You will learn about JSON logging in sudo, chroot support, logging sub-commands, and how to work with these logs in syslog-ng.
The sudo blog has more coverage of available features.
Read more of this story at SoylentNews.