Hi Folks need some help figuring out a log event per the log events below. Both events seem similar yet event #1 was not allowed. Yet afew minutes later, the same command was allowed as shown by event #2. What am i missing here?
1. Privilege Escalation Failed u07c04 LinuxServer @ plup5066 1 Aug 5, 2016, 1:25:08 PM Privilege Escalation Failed 10.10.10.185 10.10.10.150 5 <33>Aug 5 13:25:08 plup5066 sudo: u07c04 : command not allowed ; TTY=pts/0 ; PWD=/home/u07c04 ; USER=root ; COMMAND=/bin/su -

2. Privilege Escalation Succeeded u07c04 LinuxServer @ plup5066 1 Aug 5, 2016, 1:28:32 PM Privilege Escalation Succeeded 10.10.10.185 10.10.10.150 4 <37>Aug 5 13:28:32 plup5066 sudo: u07c04 : TTY=pts/0 ; PWD=/home/u07c04 ; USER=root ; COMMAND=/bin/su -

Hi,
I deduce from your question that you didn't run that command? If so, then I think user u07c04 managed to run the command (sudo) su -, which means he has now root access.

To be frank, I'm not entirely certain that's what happenend but it might be from your excerpts above.
HTH
Upuetz

Hello-
What i do not understand is why the first event (#1) was deemed "command not allowed" yet a few minutes later, the same user run the same command on the same server and it was successful. That's my dilemma.

Maybe that user was able to change the sudoers file? Or the rights of /bin/su?
Both would be bad...