/etc/group & /etc/sudoers

Location

Description

Group membership file defining which users belong to which groups (including sudo, wheel, docker, adm), and sudoers configuration files defining fine-grained privilege escalation rules per user or group.

Forensic Value

Comparing group memberships against a known-good baseline reveals unauthorized privilege escalation through group manipulation. Users added to the sudo, wheel, or docker groups gain elevated access. Modifications to /etc/sudoers (especially NOPASSWD rules) allow passwordless privilege escalation. The docker group effectively grants root access to the host. Checking /etc/sudoers.d/ for drop-in files is essential as attackers may add rules there to avoid modifying the main sudoers file.

Tools Required