Open
Description
Describe the Bug
The current KQL query:
event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*) and
not process.name:(dpkg or platform-python or puppet or yum or dnf) and
not process.executable:(/opt/chef/embedded/bin/ruby or /opt/puppetlabs/puppet/bin/ruby or /usr/bin/dockerd)
does not take into consideration any file additions to the /etc/sudoers.d/
directory. I would like to suggest the query be changed to include event.type create
to account for new files being created within the /etc/sudoers.d/
directory:
event.category:file and event.type:(change or create) and file.path:(/etc/sudoers* or /private/etc/sudoers*) and
not process.name:(dpkg or platform-python or puppet or yum or dnf) and
not process.executable:(/opt/chef/embedded/bin/ruby or /opt/puppetlabs/puppet/bin/ruby or /usr/bin/dockerd)
To Reproduce
Add "user1" as a sudoer by creating a new sudoers file in /etc/sudoers.d/
:
echo '"user1" ALL=(ALL) NOPASSWD:ALL' | sudo tee /etc/sudoers.d/user1
No alert is generated.
Expected Behavior
I believe this rule was more designed to alert on modification of the built-in sudoers file /etc/sudoers
, but it does not account for additions to sudoers via new file creation. I would expect to be alerted when new sudoers are added via file creation.
Screenshots
No response
Desktop - OS
Linux
Desktop - Version
Additional Context
No response