Re: Full shell access or sudo command
On Fri, Mar 27, 2020 at 5:18 AM MAUPERTUIS, PHILIPPE
<philippe.maupertuis(a)equensworldline.com> wrote:
Hi,
Our sysadmins are able to use sudo to take a root shell and do whatever they want.
On the contrary, application managers for example have only a limited set of sudo scripts
and commands
Is it possible to find if a given audit message (for example due to a watch on a file)
has been issued in the context of sudo or a shell?
My goal is to be able to search for potential sudo abuse through misconfiguration.
I'm sure others will have suggestions, probably better than mine, but
I would think that putting a watch on the sudo binary and paying
careful attention to the login UID ("auid" field) and session ("ses"
field) could be helpful.
--
paul moore
www.paul-moore.com