[ Team LiB ] Previous Section Next Section

Recipe 5.16 Listing sudo Invocations

5.16.1 Problem

See a report of all unauthorized sudo attempts.

5.16.2 Solution

Use logwatch: [Recipe 9.36]

# logwatch --print --service sudo --range all
smith => root
-------------
/usr/bin/passwd root
/bin/rm -f /etc/group
/bin/chmod 4755 /bin/sh

5.16.3 Discussion

If logwatch complains that the script /etc/log.d/scripts/services/sudo cannot be found, upgrade logwatch to the latest version.

You could also view the log entries directly without logwatch, extracting the relevant information from /var/log/secure:

#!/bin/sh
LOGFILE=/var/log/secure
echo 'Unauthorized sudo attempts:'
egrep 'sudo: .* : command not allowed' $LOGFILE \
     | sed 's/^.* sudo: \([^ ][^ ]*\) .* ; USER=\([^ ][^ ]*\) ; COMMAND=\(.*\)$/\1 (\2): \3/'

Output:

Unauthorized sudo attempts:
smith (root): /usr/bin/passwd root
smith (root): /bin/rm -f /etc/group
smith (root): /bin/chmod 4755 /bin/sh

5.16.4 See Also

logwatch(8). The logwatch home page is http://www.logwatch.org.
    [ Team LiB ] Previous Section Next Section