every sudo log is a violation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
logcheck (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Bug Description
Binary package hint: logcheck
Since hardy (apparently), these are the entries in /etc/logcheck/
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo\[[0-9]+\]: \(pam_[
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo\[[0-9]+\]: pam_[[:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: .*$
This means that we get an email from logcheck any time someone used sudo. This may be suitable on debian I guess, but it's not suitable on an ubuntu server where sudo is the primary mode of administration.
I have no problem with failed authentication logs, but an entry for every single use of sudo is pretty inconvenient on an Ubuntu server as that is normal behaviour.
okay, that was a little hasty. I now think I understand a little better. The above filters are present to ensure that every sudo event is handled at the violations layer and not below that.
So, instead of changing these lines, can I suggest we add an extra entry to /etc/logcheck/ violations. ignore. d/logcheck- sudo to match these
Jun 27 16:02:18 cuimhne sudo: pam_unix( sudo:session) : session opened for user root by gavinmc(uid=0) sudo:session) : session closed for user root sudo:session) : session opened for user root by gavinmc(uid=0) sudo:session) : session closed for user root
Jun 27 16:02:18 cuimhne sudo: pam_unix(
Jun 27 16:03:41 cuimhne sudo: pam_unix(
Jun 27 16:03:41 cuimhne sudo: pam_unix(
possibly these?
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_unix\ (sudo:session\ ): session opened for user root by [[:alnum: ]]+\(uid= 0\) (sudo:session\ ): session closed for user root
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_unix\