highexperimentalLinuxOCIT1548.003

Linux Agent Invoking Sudo Or Su

Detects AI agent runtimes executing sudo or su to escalate privileges, a strong indicator that the agent is attempting to gain root access beyond its intended operational scope.

Updated Jan 10, 2025 · OCI AI Security Team

agentic-aiprivilege-escalationsudoidentity-abuselinuxociowasp-asi03

Problem Statement

AI agents should operate under the principle of least privilege and should never need to escalate to root. Sudo/su invocations from agent processes indicate the agent has been directed to perform privileged operations, potentially to install malware, read protected files, or disable security controls.

Sample Logs

{"timestamp":"2025-01-10T09:15:22Z","computer_name":"oci-worker-12","user":"agent_svc","image":"/usr/bin/sudo","command_line":"sudo bash -c 'cat /etc/shadow'","parent_image":"/usr/bin/python3"}

Required Fields

image

command_line

parent_image

user

computer_name

False Positives

·Legitimate infrastructure agents that need to run specific privileged commands as defined in a sudoers allowlist

Tuning Guidance

If sudo is required, restrict to specific commands via sudoers NOPASSWD entries and alert on any sudo invocation that falls outside the approved command list.