Skip to content

[Bug] Sudoers File Modification Missing Additions to sudoers.d Directory #4902

Open
@MakoWish

Description

@MakoWish

Describe the Bug

The current KQL query:

event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*) and
not process.name:(dpkg or platform-python or puppet or yum or dnf) and
not process.executable:(/opt/chef/embedded/bin/ruby or /opt/puppetlabs/puppet/bin/ruby or /usr/bin/dockerd)

does not take into consideration any file additions to the /etc/sudoers.d/ directory. I would like to suggest the query be changed to include event.type create to account for new files being created within the /etc/sudoers.d/ directory:

event.category:file and event.type:(change or create) and file.path:(/etc/sudoers* or /private/etc/sudoers*) and
not process.name:(dpkg or platform-python or puppet or yum or dnf) and
not process.executable:(/opt/chef/embedded/bin/ruby or /opt/puppetlabs/puppet/bin/ruby or /usr/bin/dockerd)

To Reproduce

Add "user1" as a sudoer by creating a new sudoers file in /etc/sudoers.d/:

echo '"user1" ALL=(ALL) NOPASSWD:ALL' | sudo tee /etc/sudoers.d/user1

No alert is generated.

Expected Behavior

I believe this rule was more designed to alert on modification of the built-in sudoers file /etc/sudoers, but it does not account for additions to sudoers via new file creation. I would expect to be alerted when new sudoers are added via file creation.

Screenshots

No response

Desktop - OS

Linux

Desktop - Version

Additional Context

No response

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions