Full shell access or sudo command

Full shell access or sudo command

[MAUPERTUIS, PHILIPPE]

[-- Attachment #1.1: Type: text/plain, Size: 1331 bytes --]

Hi,
Our sysadmins are able to use sudo to take a root shell and do whatever they want.
On the contrary, application managers for example have only a limited set of sudo scripts and commands
Is it possible to find if a given audit message (for example due to a watch on a file) has been  issued in the context of sudo or a shell?
My goal is to be able  to search for potential sudo abuse through misconfiguration.

Philippe

Worldline and equensWorldline are a registered trademarks and trading names owned by Worldline Group.
This e-mail and the documents attached are confidential and intended solely for the addressee. If you receive this e-mail in error, you are not authorized to copy, disclose, use or retain it. Please notify the sender immediately and delete this email from your systems. As emails may be intercepted, amended or lost, they are not secure. EquensWorldline and the Worldline Group therefore can accept no liability for any errors or their content. Although equensWorldline and the Worldline Group endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted. The risks are deemed to be accepted by everyone who communicates with equensWorldline and the Worldline Group by email

[-- Attachment #1.2: Type: text/html, Size: 6315 bytes --]

[-- Attachment #2: Type: text/plain, Size: 102 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: Full shell access or sudo command

[Paul Moore]

On Fri, Mar 27, 2020 at 5:18 AM MAUPERTUIS, PHILIPPE
<philippe.maupertuis@equensworldline.com> wrote:
>
> Hi,
>
> Our sysadmins are able to use sudo to take a root shell and do whatever they want.
>
> On the contrary, application managers for example have only a limited set of sudo scripts and commands
>
> Is it possible to find if a given audit message (for example due to a watch on a file) has been  issued in the context of sudo or a shell?
>
> My goal is to be able  to search for potential sudo abuse through misconfiguration.

I'm sure others will have suggestions, probably better than mine, but
I would think that putting a watch on the sudo binary and paying
careful attention to the login UID ("auid" field) and session ("ses"
field) could be helpful.

-- 
paul moore
www.paul-moore.com


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: Full shell access or sudo command

[Steve Grubb]

On Friday, March 27, 2020 5:15:37 AM EDT MAUPERTUIS, PHILIPPE wrote:
> Hi,
> Our sysadmins are able to use sudo to take a root shell and do whatever
> they want. On the contrary, application managers for example have only a
> limited set of sudo scripts and commands Is it possible to find if a given
> audit message (for example due to a watch on a file) has been  issued in
> the context of sudo or a shell? My goal is to be able  to search for
> potential sudo abuse through misconfiguration.

Assuming direct root login is disabled since root is a shared account, then 
any event with uid ==0 and session != -1 has to be under sudo/su.

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: Full shell access or sudo command

[Richard Guy Briggs]

On 2020-03-27 10:36, Steve Grubb wrote:
> On Friday, March 27, 2020 5:15:37 AM EDT MAUPERTUIS, PHILIPPE wrote:
> > Hi,
> > Our sysadmins are able to use sudo to take a root shell and do whatever
> > they want. On the contrary, application managers for example have only a
> > limited set of sudo scripts and commands Is it possible to find if a given
> > audit message (for example due to a watch on a file) has been  issued in
> > the context of sudo or a shell? My goal is to be able  to search for
> > potential sudo abuse through misconfiguration.
> 
> Assuming direct root login is disabled since root is a shared account, then 
> any event with uid ==0 and session != -1 has to be under sudo/su.

Or uid==0 and auid=>1000 (or 500 on some systems)?

> -Steve

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit