Correlate command executions involving 'sudo' with elevated effective user ID (euid=0), especially when tty_tickets is disabled or timestamp_timeout is actively abused.
| Data Component | Name | Channel |
|---|---|---|
| Process Metadata (DC0034) | auditd:SYSCALL | execve call for sudo where euid != uid |
| File Modification (DC0061) | auditd:SYSCALL | execve call for modification of /etc/sudoers or writing to /var/db/sudo |
| Field | Description |
|---|---|
| timestamp_timeout_threshold | Tune the valid sudo session duration to reduce false positives |
| command_allowlist | Filter benign sudo usage (e.g., approved admin scripts) |
Detect sudo activity with NOPASSWD in /etc/sudoers or disabling tty_tickets, followed by immediate privileged commands (e.g., echo 'Defaults !tty_tickets' >> /etc/sudoers).
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | exec or sudo usage with NOPASSWD context or echo modifying sudoers |
| Process Termination (DC0033) | macos:unifiedlog | Terminal process killed (killall Terminal) immediately after sudoers modification |
| Field | Description |
|---|---|
| admin_user_context | Define allowed users who may modify sudoers without investigation |
| terminal_restart_window | Time window after sudoers file change to monitor for Terminal restarts |