splApache-2.0from splunk/security_content
Linux Auditd Nopasswd Entry In Sudoers File
The following analytic detects the addition of NOPASSWD entries to the /etc/sudoers file on Linux systems. It leverages Linux Auditd data to identify command lines containing "NOPASSWD:". This activity is significant because it allows users to execute commands with elevated privileges without requiring a password, which can be exploited by adversaries to maintain persistent, privileged access. If confirmed malicious, this could lead to unauthorized privilege escalation, persistent access, and potential compromise of sensitive data and system integrity.
Quality
59
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml
`linux_auditd` proctitle = "*NOPASSWD*"
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY proctitle dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_nopasswd_entry_in_sudoers_file_filter`