On Fri, Mar 27, 2020 at 5:18 AM MAUPERTUIS, PHILIPPE
<[email protected]> wrote:
>
> Hi,
>
> Our sysadmins are able to use sudo to take a root shell and do whatever they
> want.
>
> On the contrary, application managers for example have only a limited set of
> sudo scripts and commands
>
> Is it possible to find if a given audit message (for example due to a watch
> on a file) has been issued in the context of sudo or a shell?
>
> My goal is to be able to search for potential sudo abuse through
> misconfiguration.
I'm sure others will have suggestions, probably better than mine, but
I would think that putting a watch on the sudo binary and paying
careful attention to the login UID ("auid" field) and session ("ses"
field) could be helpful.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
