Performing Privilege Elevation
Performing Privilege Elevation (Unix/Linux)
The following out-of-the-box alert rules are assigned to the (Unix/Linux) Category: : PERFORMING PRIVILEGE ELEVATION.
|
ALERT RULE |
Description |
|---|---|
| Changing permission to super user |
An alert is triggered upon trying to change permissions using SU or SUDO commands to super user permissions to access sensitive information and perform sensitive actions. |
| Running SU command by non-admin user |
An alert is triggered upon running the SU command by a user who is not a member of the unix_admins group. This rule is an example of a Prevent Rule that results in blocking the command. This rule will not trigger any alert until it is activated. |
| Running SU command to open root shell without root password |
An alert is triggered upon running the command SUDO SU in order to open a root shell without being asked for the root password. |
| Using internal SUDO command suspiciously |
An alert is triggered upon running a command from within another unauthorized command executed by SUDO. This rule is an example of an Alert Rule that pops up a Warning Notification to the end user. This rule will not trigger any alert until it is activated. |