When a user tries to execute a sudo command, they may have to supply authentication credentials for the account they are currently using. Successes and failures generate log messages capturing when the activity occurred and who the user was. While a failure could be associated with a misconfigured system, script, or incorrect user input, it can also be indicative of an attempt by a malicious user to elevate privileges or execute commands that will assist with malicious activity.
Event Description
Sudo (substitute user do) is a command on Linux systems that allows defined users to execute defined commands with the permissions of other (usually privileged) users. It is a mechanism of affording non-privileged users access to a subset of administrative commands without giving them unrestricted access to the root (or super user) account. Access to the sudo command is controlled via the /etc/sudoers file. This file controls who can execute which commands and with which privileges.
Alert Logic Coverage
Detection of this threat is provided via the Alert Logic® ActiveWatch for Log Manager™ service. Log messages are produced by the vulnerable system when an exploit of this type is leveraged. An incident will be generated in the Alert Logic console if these log messages are seen.
Comments
0 comments
Please sign in to leave a comment.