On Friday, March 27, 2020 5:15:37 AM EDT MAUPERTUIS, PHILIPPE wrote: > Hi, > Our sysadmins are able to use sudo to take a root shell and do whatever > they want. On the contrary, application managers for example have only a > limited set of sudo scripts and commands Is it possible to find if a given > audit message (for example due to a watch on a file) has been issued in > the context of sudo or a shell? My goal is to be able to search for > potential sudo abuse through misconfiguration.
Assuming direct root login is disabled since root is a shared account, then any event with uid ==0 and session != -1 has to be under sudo/su. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
