Full shell access or sudo command
Paul Moore
paul at paul-moore.com
Fri Mar 27 13:40:30 UTC 2020
On Fri, Mar 27, 2020 at 5:18 AM MAUPERTUIS, PHILIPPE
<philippe.maupertuis at equensworldline.com> wrote:
>
> Hi,
>
> Our sysadmins are able to use sudo to take a root shell and do whatever they want.
>
> On the contrary, application managers for example have only a limited set of sudo scripts and commands
>
> Is it possible to find if a given audit message (for example due to a watch on a file) has been issued in the context of sudo or a shell?
>
> My goal is to be able to search for potential sudo abuse through misconfiguration.
I'm sure others will have suggestions, probably better than mine, but
I would think that putting a watch on the sudo binary and paying
careful attention to the login UID ("auid" field) and session ("ses"
field) could be helpful.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list