Better Understanding Privileged User Risk by Inspecting Sudo Logs

In our previous blogs on central log management, we touched on the topic of effective search in a centralized log repository. In this post, we take a look at the risk of ‘sudoing’,  and how you can quickly and easily surface sudo related information from a central log store.

Privileged user accounts represent the highest security risk indeed, as they allow access to the most sensitive data and resources. The sudo program allows users on *nix-like operating systems to run commands on behalf of other users, typically on behalf of a superuser or root user.  Therefore, ‘sudoing’ represents a significant risk for the integrity of such systems. Inspecting regularly who uses this type of privilege escalation and what sort of commands are they running is important to mitigate the risk and to detect account misuse.

Detect and alert

syslog-ng Store Box offers a built-in parser to extract the relevant information from sudo logs. Users can activate this feature by simply enabling the sudo parser on a log path.

SSS_parsersyslog-ng Store Box will then automatically parse incoming sudo logs and extract relevant information (including who was the original user, who was the impersonated user, which command was executed) into easy-to-search columnar format. Clicking on the chart icon in the command header provides an easy-to-interpret pie-chart of the commands run:
SSB_stat_for_commandsIf a command is interesting or suspicious, clicking on it automatically adds it to the search expression. Drilling down further into the data by searching for all occurrences quickly reveals the actual user accounts behind the activities.

Combining this feature with content based alerting introduced last year, makes for an easy-to-configure and efficient tool to detect and investigate sudo related account misuse.

If you would like to know more about this feature, please consult the syslog-ng Store Box Administrator Guide.