every sudo log is a violation

Bug #243693 reported by Gavin McCullagh
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
logcheck (Ubuntu)
Fix Released
Medium
Unassigned
Nominated for Dapper by Brian Smith
Nominated for Hardy by Brian Smith
Nominated for Intrepid by Brian Smith
Nominated for Jaunty by Brian Smith
Nominated for Karmic by Brian Smith

Bug Description

Binary package hint: logcheck

Since hardy (apparently), these are the entries in /etc/logcheck/violations.d.server/sudo

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo\[[0-9]+\]: \(pam_[[:alnum:]]+\) .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo\[[0-9]+\]: pam_[[:alnum:]]+\(sudo:[[:alnum:]]+\): .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: .*$

This means that we get an email from logcheck any time someone used sudo. This may be suitable on debian I guess, but it's not suitable on an ubuntu server where sudo is the primary mode of administration.

I have no problem with failed authentication logs, but an entry for every single use of sudo is pretty inconvenient on an Ubuntu server as that is normal behaviour.

Revision history for this message
Gavin McCullagh (gmccullagh) wrote :

okay, that was a little hasty. I now think I understand a little better. The above filters are present to ensure that every sudo event is handled at the violations layer and not below that.

So, instead of changing these lines, can I suggest we add an extra entry to /etc/logcheck/violations.ignore.d/logcheck-sudo to match these

Jun 27 16:02:18 cuimhne sudo: pam_unix(sudo:session): session opened for user root by gavinmc(uid=0)
Jun 27 16:02:18 cuimhne sudo: pam_unix(sudo:session): session closed for user root
Jun 27 16:03:41 cuimhne sudo: pam_unix(sudo:session): session opened for user root by gavinmc(uid=0)
Jun 27 16:03:41 cuimhne sudo: pam_unix(sudo:session): session closed for user root

possibly these?

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_unix\(sudo:session\): session opened for user root by [[:alnum:]]+\(uid=0\)
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_unix\(sudo:session\): session closed for user root

Revision history for this message
Daniel Hahler (blueyed) wrote :

Karmic has the following rules in violations.ignore.d/logcheck-sudo:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session opened for user [[:alnum:]-]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session closed for user [[:alnum:]-]+$

Therefore I'm closing this as fix released.
Please re-open, if I misunderstood anything.
Thanks!

Changed in logcheck (Ubuntu):
importance: Undecided → Medium
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.