Sudo 1.8 Brings Pluggable Policies to Root Access Control
We're all familiar with the venerable utility Sudo, but its feature set hasn't kept up with what many companies want for root access control. Specifically, Sudo has lacked support for policy plugins and advanced logging features. There have been a number of proprietary tools that either replace or enhance Sudo for root access control (RAC). But who wants to have to buy an add-on if you can get the features you need as part of the native toolset that comes with your *nix?
Sudo 1.8 brings a plugin architecture, with two major types of plugins: policy and I/O logging plugins.
The policy plugins are designed to control who can do what on the system. You're probably used to controlling Sudo via the
/etc/sudoers. If this works for you, nothing changes. You'll still be able to use
visudo to edit the file and add users, and set policies the way you always have. Otherwise, it's now possible to write new policies to comply with things like SOX and HIPAA, or tie Sudo into Active Directory for companies that have standardized on that. Sudo will accept only one policy plugin at a time.
The I/O plugins control logging of sessions that take place using Sudo. Sudo has had a "replay" command since 1.7.3, but this release brings much more functionality. Unlike the policy plugin, Sudo can support multiple plugins for I/O, so you could use different I/O policies depending on which users are running Sudo (for example). You can now not only see what commands have been run with Sudo, but also actually replay a session in its entirety if need be (and if you want to log that much).
Previously, those features were the domain of proprietary RAC tools. And Sudo 1.8 doesn't mean that companies have no opportunity to offer services on top of Sudo, but it does mean that they don't need to replace it entirely -- and shops have the option of writing their own plugin or using open source plugins. During his talk, Miller said several open source plugins are in development. No doubt quite a few open source plugins will be contributed that fit the needs of many companies, and if not you could turn to vendors like Quest, which offer add-ons for Active Directory and other proprietary features.
It will take a while before Sudo 1.8 rolls out to enterprise Linux releases and other major UNIXes, but you don't need to wait. The Sudo 1.8 project source and binary packages are out now. You'll find pre-compiled packages for recent Ubuntu LTS releases; Solaris 9 and 10; SUSE Linux Enterprise 9 through 11; Red Hat Enterprise Linux 4 through 6; HP-UX 11, 11.11 and 11.23; Debian Etch, Lenny and Squeeze; and many others. While I might wait a bit before rolling out on all production machines, now would be a really good time to start testing Sudo 1.8 and its new policy features to be ready to roll it out after the first minor release that follows 1.8. The API guide is available to anyone who wants to start writing new policies.
If Sudo is part of your toolkit, and it should be, it's time to upgrade and start taking advantage of the new features in Sudo. In a future column, once more open source plugins are available, I'll cover how to install policies and configure Sudo to take advantage of them.
Joe 'Zonker' Brockmeier is a freelance writer and editor with more than 10 years covering IT. Formerly the openSUSE Community Manager for Novell, Brockmeier has written for Linux Magazine, Sys Admin, Linux Pro Magazine, IBM developerWorks, Linux.com, CIO.com, Linux Weekly News, ZDNet, and many other publications. You can reach Zonker at firstname.lastname@example.org and follow him on Twitter.