query

Failed Sudo Attempts

Jun 7, 2021 6:51:47 PM / By Gravwell

Who wishes they had sudo access? Who has sudo access but always fat-fingers their password? This query will help you answer these burning questions and maybe find somebody doing something sneaky.

The Query:

tag=syslog words authentication failure
| syslog Appname==sudo Message Hostname
| regex -e Message "authentication failure; (?P<kv>.+)"
| kv -e kv -sep = user
| stats count by user Hostname
| table user Hostname count

incident

(Image credit: xkcd https://xkcd.com/838/)

Gravwell
Written by Gravwell
TOP