== Some thoughts on what _sudo_ emails to ignore and to not ignore

If you run a multi-user system with _sudo_ and your users are anything
like ours, you will periodically get email alerts from _sudo_ about
users trying to do things. In theory and in an ideal world all of these
emails would be evidence of malign intent because, after all, they're
all from unauthorized users trying to do things as root.

In the real world this is not at all the case. In practice we get a
lot of email from _sudo_ about users trying to run things like, oh,
'_easy-install PKG_' or '_apt-get install PKG_' or '_npm install PKG_'.
You get the idea. Although we've never tracked down the users involved
to quiz them about it, my assumption is that they've found some 'how to
install X' guide on the web, the guide uses _sudo_ because it's focused
on single-user machines (or machines where you're the administrator),
and they are rationally following the guide. I can't expect that our
users necessarily even know what _sudo_ is and it's not as if _sudo_
gives you a big glaring warning about this when you run it; it just
prompts you for a password (and then doesn't tell you why things didn't
work, which of course leads users to thinking that they entered their
password wrong and trying several times).

(We've gotten enough of these emails that we actually wrote a _sudo_
cover script that just tells people 'this won't work, please contact
your [[point of contact CSDeptSupportModel]] for assistance'. It
doesn't work all of the time for various reasons but it really cuts
down on the noise, and at least we're trying to be friendly.)

But [[every so often SecurityIncidentGrounding]] we get sudo emails
with commands that look far less innocent, commands like '_/bin/su
-_'.  I've now learned that sudo attempts that don't look like they
have a straightforward or innocent reason ought to be fully
investigated. I think we're going to be bothering users in the
future for explanations even if there are no signs that their
accounts have been compromised. What exactly are such commands?
I'm not sure yet but I'll probably start with anything that doesn't
have an obvious explanation. We'll inevitably be refining our views
of this as we talk to users and see why they wound up running
somewhat innocent _sudo_ commands. Cynically I expect to find that
there are an awful lot of instructions out there on the web that
have people doing remarkably alarming things through _sudo_.

(In [[our recent security incident SecurityIncidentGrounding]] the
intruders immediately tried to do '_sudo /bin/su -_'. This is now
an immediate 'drop everything and go digging' trigger for me; the
odds appear very good that any account that tries to do this has
been compromise.)