2024-07-03, 14:00–17:00 (Europe/Paris), Workshop room 1
Sudo is used by millions to control and log administrator access to systems. However, in most cases, people use the default configuration or add a simple rule to allow a user to run a single command. The sudo workshop is for those who want to go well beyond the basics and want to practice many of the enterprise-focused features of sudo.
Sudo is used by millions to control and log administrator access to systems. However, in most cases, people use the default configuration or add a simple rule to allow a user to run a single command. The sudo workshop is for those who want to go well beyond the basics and want to practice many of the enterprise-focused features of sudo.
You need at least two (virtual) machines, or three, if you also want to try relays. You also need an up-to-date sudo version to be installed. If you use a rolling Linux or FreeBSD, then you already have it. Otherwise, the sudo website has installers for most major operating systems.
Giving the root user a password is not mandatory, but strongly advised, as it is easy to close yourself out with a configuration mistake. Remember: visudo only does syntax checks, but it does not prevent mistakes in configuration logic.
The sudo workshop starts with some of the basics through some fun examples, such as enabling insults for users, which is not enabled by default anymore. Once we verified that sudo and editing configuration works as expected, we will cover a wide variety of advanced topics:
- session recording and playback
- collecting session recordings centrally, either directly or through a relay
- JSON-formatted log messages
- CWD and chroot support
- extending sudo using Python
- logging and intercepting sub-commands
- giving audit privileges without administrator privileges
And probably some more, depending on time and the number of questions. Note that I might not be able to answer all questions: even though I helped a bit designing some of the most advanced sudo features, I am not a practicing sysadmin anymore.
Peter is an engineer working as open source evangelist at Balabit (a One Identity business), the company that developed syslog-ng. He assists distributions to maintain the syslog-ng package, follows bug trackers, helps users and talks regularly about sudo and syslog-ng at conferences (SCALE, All Things Open, FOSDEM, LOADays, and others). In his limited free time he is interested in non-x86 architectures, and works on one of his PPC or ARM machines.