Brussels / 4 & 5 February 2023


Sudo logs for Blue Teamers

Using sudo, you can control and log administrative access to your hosts. Recent sudo versions allow you to send log messages in JSON format, while the latest sudo features also allow you to watch and control previously blind spots.

What does this mean for your Blue Team? You have more control in defining both the people who can access your system, and the actions they can perform in it. The resulting log messages contain a lot more information in an easy to process format. This way you do not just collect more logs, but it becomes easier to detect and react to important sudo events.

From my talk, you can learn about JSON-formatted logging in sudo and how to work with those logs in syslog-ng. I will introduce you to some of the latest sudo features, like configuring chroot and cwd within sudo, and logging and intercepting sub-commands. I will also show you how to work with these logs within syslog-ng: for example, how to parse JSON-formatted log messages and how to implement real-time alerting using name-value pairs to create alerts on critical sudo events.


Photo of Peter Czanik Peter Czanik