Tracking the Original User for Sudo in Threat Stack

What is Sudoer ?

 

When a user escalates his privileges on Linux, the user issues a `sudo` command.  The OS then tracks the user as `root` from that point, all the activity for that user will be tracked as `root`.

 

Why is important from a security stand point ?

 

Typically most user and insider actions that cause an incident would require escalated privileges.  Incident response for alerts involving user "root" needs to be investigated from a perspective of the original user who escalated his or her privileges to the corresponding "root" user.

Lets say you got an alert from Threat Stack saying there is a suspicious connect to a IP address.  Clicking on alert details, you can see that the connect is made by an executable that you don't immediately recognize - and the user who has executed that is `root`.  Now you want to know the original user who escalated their privileges to know the entry point of the executable .  Until now, you have had to trace the session and search through the session to find out who the original user is.  Not any more.

Enter Sudoer field in Threat Stack

 

Sudoer field in Threat Stack

Every event in Threat Stack which is associated with user `root` now will have a sudoer field which has userid of the original user the easy way to view who the sudoer is.   Customers of Threat Stack can also search for specific sudoer activity using a sudoer field.  Ex:`sudoer="john"'.    Example is the screenshot

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.