sudo-check

May 21, 2024 · 1 min read

sudo-check is a lightweight security auditing utility designed to analyze Linux /etc/sudoers files and /etc/sudoers.d/ directories. It helps security engineers and system administrators quickly identify misconfigurations, overly permissive rules, and potential privilege escalation pathways.

By scanning for common policy weaknesses, this tool provides actionable insights to tighten system access controls.

Key Auditing Features

Rule Analysis: Identifies NOPASSWD directives and wildcard user specifications that could allow unauthorized root access.
Directive Validation: Verifies the presence of key security directives such as env_reset, secure_path, and use_pty.
Permission Checks: Validates the file permissions and ownership of critical configuration files to prevent unauthorized editing.
Alias Resolution: Parsers user, run-as, and command aliases to audit complex, nested rule structures.

Last updated on May 21, 2024

Linux Security Privilege Escalation Auditing Sudo Cybersecurity Bash Scripting

Authors

Florian Stosse

Cybersecurity engineer

About Me

Hi, I’m Florian Stosse, just another information security engineer !

Current work

I currently work at the European Space Agency, as a cybersecurity engineer for the Galileo programme, specifically for the Galileo Mission Segment (GMS).

Experience summary

I previously worked at Safran Data Systems, in the Space & Communications business unit. I focused on hardening and securing our embedded Windows 7 and 10/11 platforms (Cortex family of TT&C and high data rate receivers), among other cool things :)

Before that, in October 2018, I started a PhD thesis at CEA-List and ANSSI to work on formal methods applied to software security. More specifically, I was working on software defenses and hardening against hardware vulnerabilities, such as Spectre and Meltdown, using sound static analysis tools (Frama-C in particular).

My thesis was under the supervision of Julien Signoles (CEA), and my advisors were Patricia Mouy (ANSSI) and Florent Kirchner (CEA).

Unfortunately, we had to put a stop to the thesis, but hey, that’s life !

Education summary

I graduated with a M.Sc in Computer Science (major in cybersecurity, minor in embedded systems) from ESIEA Paris (a top French engineering school, part of the “Grandes écoles”) in August 2018. During my graduate studies, I was an apprentice at Bureau Veritas’ R&D center in La Défense, Paris.

I worked in the RAMS department, and my main areas of work were:

software security (e.g. static analysis, SDLC),
connected/autonomous vehicles security (e.g. ISO 21434 for automotive security engineering),
and industrial systems security (e.g. ISO 62443 certification).

Do not hesitate to get in touch if you want to chat about these topics (or anything else, really) !

← exploit-protection-policy May 22, 2024

ad-hardening May 20, 2024 →