Using Sudo with Python For More Security Controls

Using Sudo with Python For More Security Controls
I'm a big fan of the Sudo[1] command. This tool, available on every UNIX flavor, allows system administrators to provide access to certain users/groups to certain commands as root or another user. This is performed with a lot of granularity in the access rights and logging/reporting features. I'm using it for many years and I'm still learning great stuff about it. Yesterday, at the Pass-The-Salt[2] conference, Peter Czanik presented a great feature of Sudo (available since version 1.9): the ability to extend features using Python modules! There are several scenarios where Python can be used: Approval Audit I/O Policy As usual, Python support is not enabled by default on many Linux distributions. You will have to recompile a local Sudo instance with the '`--enable-python`' flag: ./configure --prefix=/usr/local --enable-python && make && make install Once your new Sudo is ready, you just have to enable the Python interface you'd like to use. Edit your sudo.conf file and add a line like this one: Plugin python_io python_plugin.so ModulePath=/usr/local/lib/sudo/sudo_isc_test.py ClassName=MyIOPlugin `ModulePath` specifies the location of the Python script that will contain our code and `ClassName` is the class that will be defined in the script. In this case, I'm enabling the support for I/O operations. Let's have a look at the script now: # cat /usr/local/lib/sudo/sudo_isc_test.py import sudo VERSION = 1.0 class MyIOPlugin(sudo.Plugin): def log_ttyout(self, buf: str) -> int: if "root:x:0:" in buf: sudo.log_info("WARNING: Suspicious activity on passwd file detected!") return sudo.RC.REJECT if "8.8.8.8" in buf: sudo.log_info("WARNING: Suspicious network activity detected!") return sudo.RC.REJECT And in practice, how it works: # sudo cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin messagebus:x:101:101::/nonexistent:/usr/sbin/nologin WARNING: Suspicious activity on passwd file detected! # sudo host 8.8.8.8 8.8.8.8.in-addr.arpa domain name pointer dns.google. WARNING: Suspicious network activity detected! Of course, you can do much more and also generate events. This is really powerful and helpful to better control what users/scripts do with Sudo. More information about the integration with python is available on the website[3]. [1] https://www.sudo.ws [2] https://www.pass-the-salt.org [3] https://www.sudo.ws/man/1.9.0/sudo_plugin_python.man.html Xavier Mertens (@xme) Senior ISC Handler - Freelance Cyber Security Consultant PGP Key I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS London June 2022	Xme 687 Posts ISC Handler Jul 8th 2021
Thread locked Subscribe	Jul 8th 2021 10 months ago