/etc/group & /etc/sudoers

Location

Description

Group membership file defining which users belong to which groups (including sudo, wheel, docker, adm), and sudoers configuration files defining fine-grained privilege escalation rules per user or group.

Forensic Value

Comparing group memberships against a known-good baseline reveals unauthorized privilege escalation through group manipulation. Users added to the sudo, wheel, or docker groups gain elevated access. Modifications to /etc/sudoers (especially NOPASSWD rules) allow passwordless privilege escalation. The docker group effectively grants root access to the host. Checking /etc/sudoers.d/ for drop-in files is essential as attackers may add rules there to avoid modifying the main sudoers file.

Tools Required

Collection Commands

cp /etc/group /etc/sudoers /forensics/output/

tar czf /forensics/output/sudoers_all.tar.gz /etc/sudoers /etc/sudoers.d/

grep -E "sudo|wheel|docker|adm" /etc/group > /forensics/output/privileged_groups.txt

grep "NOPASSWD" /etc/sudoers /etc/sudoers.d/* > /forensics/output/nopasswd_rules.txt

Collection Constraints

• •Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.

MITRE ATT&CK Techniques

References