Full shell access or sudo command
Steve Grubb
sgrubb at redhat.com
Fri Mar 27 14:36:33 UTC 2020
On Friday, March 27, 2020 5:15:37 AM EDT MAUPERTUIS, PHILIPPE wrote:
> Hi,
> Our sysadmins are able to use sudo to take a root shell and do whatever
> they want. On the contrary, application managers for example have only a
> limited set of sudo scripts and commands Is it possible to find if a given
> audit message (for example due to a watch on a file) has been issued in
> the context of sudo or a shell? My goal is to be able to search for
> potential sudo abuse through misconfiguration.
Assuming direct root login is disabled since root is a shared account, then
any event with uid ==0 and session != -1 has to be under sudo/su.
-Steve
More information about the Linux-audit
mailing list