On 2020-03-27 10:36, Steve Grubb wrote: > On Friday, March 27, 2020 5:15:37 AM EDT MAUPERTUIS, PHILIPPE wrote: > > Hi, > > Our sysadmins are able to use sudo to take a root shell and do whatever > > they want. On the contrary, application managers for example have only a > > limited set of sudo scripts and commands Is it possible to find if a given > > audit message (for example due to a watch on a file) has been issued in > > the context of sudo or a shell? My goal is to be able to search for > > potential sudo abuse through misconfiguration. > > Assuming direct root login is disabled since root is a shared account, then > any event with uid ==0 and session != -1 has to be under sudo/su.
Or uid==0 and auid=>1000 (or 500 on some systems)? > -Steve - RGB -- Richard Guy Briggs <[email protected]> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
