Full shell access or sudo command
Richard Guy Briggs
rgb at redhat.com
Fri Mar 27 16:18:00 UTC 2020
On 2020-03-27 10:36, Steve Grubb wrote:
> On Friday, March 27, 2020 5:15:37 AM EDT MAUPERTUIS, PHILIPPE wrote:
> > Hi,
> > Our sysadmins are able to use sudo to take a root shell and do whatever
> > they want. On the contrary, application managers for example have only a
> > limited set of sudo scripts and commands Is it possible to find if a given
> > audit message (for example due to a watch on a file) has been issued in
> > the context of sudo or a shell? My goal is to be able to search for
> > potential sudo abuse through misconfiguration.
>
> Assuming direct root login is disabled since root is a shared account, then
> any event with uid ==0 and session != -1 has to be under sudo/su.
Or uid==0 and auid=>1000 (or 500 on some systems)?
> -Steve
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list