Hi, Our sysadmins are able to use sudo to take a root shell and do whatever they want. On the contrary, application managers for example have only a limited set of sudo scripts and commands Is it possible to find if a given audit message (for example due to a watch on a file) has been issued in the context of sudo or a shell? My goal is to be able to search for potential sudo abuse through misconfiguration.
Philippe Worldline and equensWorldline are a registered trademarks and trading names owned by Worldline Group. This e-mail and the documents attached are confidential and intended solely for the addressee. If you receive this e-mail in error, you are not authorized to copy, disclose, use or retain it. Please notify the sender immediately and delete this email from your systems. As emails may be intercepted, amended or lost, they are not secure. EquensWorldline and the Worldline Group therefore can accept no liability for any errors or their content. Although equensWorldline and the Worldline Group endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted. The risks are deemed to be accepted by everyone who communicates with equensWorldline and the Worldline Group by email
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
