June 2003
Intermediate to advanced
336 pages
8h 54m
English
Content preview from Linux Security CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
5.16. Listing sudo Invocations
Problem
See a report of all unauthorized sudo attempts.
Solution
Use logwatch: [Recipe 9.36]
# logwatch --print --service sudo --range all smith => root ------------- /usr/bin/passwd root /bin/rm -f /etc/group /bin/chmod 4755 /bin/sh
Discussion
If logwatch complains that the script /etc/log.d/scripts/services/sudo cannot be found, upgrade logwatch to the latest version.
You could also view the log entries directly without logwatch, extracting the relevant information from /var/log/secure :
#!/bin/sh
LOGFILE=/var/log/secure
echo 'Unauthorized sudo attempts:'
egrep 'sudo: .* : command not allowed' $LOGFILE \
| sed 's/^.* sudo: \([^ ][^ ]*\) .* ; USER=\([^ ][^ ]*\) ; COMMAND=\(.*\)$/\1 (\2): \3/'Output:
Unauthorized sudo attempts: smith (root): /usr/bin/passwd root smith (root): /bin/rm -f /etc/group smith (root): /bin/chmod 4755 /bin/sh
See Also
logwatch(8). The logwatch home page is http://www.logwatch.org.