Re: Full shell access or sudo command
On 2020-03-27 10:36, Steve Grubb wrote:
On Friday, March 27, 2020 5:15:37 AM EDT MAUPERTUIS, PHILIPPE wrote:
> Hi,
> Our sysadmins are able to use sudo to take a root shell and do whatever
> they want. On the contrary, application managers for example have only a
> limited set of sudo scripts and commands Is it possible to find if a given
> audit message (for example due to a watch on a file) has been issued in
> the context of sudo or a shell? My goal is to be able to search for
> potential sudo abuse through misconfiguration.
Assuming direct root login is disabled since root is a shared account, then
any event with uid ==0 and session != -1 has to be under sudo/su.
Or uid==0 and auid=>1000 (or 500 on some systems)?
-Steve
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635