Re: Full shell access or sudo command
On Friday, March 27, 2020 5:15:37 AM EDT MAUPERTUIS, PHILIPPE wrote:
Hi,
Our sysadmins are able to use sudo to take a root shell and do whatever
they want. On the contrary, application managers for example have only a
limited set of sudo scripts and commands Is it possible to find if a given
audit message (for example due to a watch on a file) has been issued in
the context of sudo or a shell? My goal is to be able to search for
potential sudo abuse through misconfiguration.
Assuming direct root login is disabled since root is a shared account, then
any event with uid ==0 and session != -1 has to be under sudo/su.
-Steve