Skip to main content
Splunk Lantern

Detecting the Baron Samedit sudo attack

The buffer overflow attack dubbed Baron Samedit can result in privilege escalations on some of the most modern and widely used Linux operating systems. An unprivileged user can exploit this vulnerability to gain root privileges on a host by using a default sudo configuration.

You have Linux and Unix machines in your network and those machines have the sudo command. You need a proactive way to interrogate your servers and make a data-driven response to manage your threat surface.

Data required

*nix logs

How to use Splunk software for this use case

Depending on what information you have available, you might find it useful to identify some or all of the following: 

Next steps

These searches give you a proactive way to interrogate your servers and make a data-driven response to manage your threat surface. 

The content in this use case comes from a previously published blog, one of the thousands of Splunk resources available to help users succeed. These additional Splunk resources might help you understand and implement this specific use case:

Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.com if you require assistance.