This is something I've spent a bunch of time on (on-and-off) during the past year and a half to scratch a personal itch at work. I'm thrilled to finally be able to release it publicly (thanks to Square for being so supportive in this).
Long story short, it's how we implement dual control for sudo at Square. If someone sudos to a privileged user or group, this plugin requires them to find another engineer to approve the session. That engineer will then see a live mirror of everything that happens during the privileged session.
Technically, it's surprisingly simple: sudo has a plugin mechanism which allows you to log all terminal I/O, and the "meat" of it is basically just copying all I/O to a socket and `socat`ing it on the other end. The rest is all just enforcing security constraints, exposing sudo_plugin(8) facility in a Rust-like wrapper, parsing all of the hundred-plus fields of metadata sent to the plugin by sudo, and wrapping it up in a bow so I can share it with you guys.
Please give me your feedback! I've released the plugin at a prerelease version of 0.9.0; we're happy with it, but I want to solicit feedback from the community and others who want to use it before officially stamping it as 1.0.
In the screencap - whoami on the left shows 'stephen' and the shell on the right also shows 'stephen', so ultimately it looks like 'stephen' ends up approving his own sudo request, which defeats the whole purpose. I assume that's not possible, but perhaps clarify this part?
It might be hard to read in the gif, but at Square, we actually allow users to approve their own sessions. When this happens, it's logged in such a way that an oncall infosec person is paged immediately. Users know not to do this except in case of emergency; the whole point is to have an in-case-of-fire-break-glass escape hatch during, e.g., a critical outage in the middle of the night.
The logic for this[1] is currently in the approval script (and in the sample one provided, it does deny access). However, I intend to make this a responsibility of the plugin itself[2] shortly, where you can toggle between denying and logging. Also, it's pretty easy to take the output from `socat`, pipe it to GPG, and archive the session afterward, for forensic purposes. We plan to do this latter part as well (possibly through the approval script, possibly as a second plugin).
Long story short, it's how we implement dual control for sudo at Square. If someone sudos to a privileged user or group, this plugin requires them to find another engineer to approve the session. That engineer will then see a live mirror of everything that happens during the privileged session.
Technically, it's surprisingly simple: sudo has a plugin mechanism which allows you to log all terminal I/O, and the "meat" of it is basically just copying all I/O to a socket and `socat`ing it on the other end. The rest is all just enforcing security constraints, exposing sudo_plugin(8) facility in a Rust-like wrapper, parsing all of the hundred-plus fields of metadata sent to the plugin by sudo, and wrapping it up in a bow so I can share it with you guys.
Please give me your feedback! I've released the plugin at a prerelease version of 0.9.0; we're happy with it, but I want to solicit feedback from the community and others who want to use it before officially stamping it as 1.0.