Recipe 5.16 Listing sudo Invocations

Previous page
Table of content
Next page

5.16.1 Problem

See a report of all unauthorized sudo attempts.

5.16.2 Solution

Use logwatch: [Recipe 9.36]

# logwatch --print --service sudo --range all smith => root ------------- /usr/bin/passwd root /bin/rm -f /etc/group /bin/chmod 4755 /bin/sh

5.16.3 Discussion

If logwatch complains that the script /etc/log.d/scripts/services/sudo cannot be found, upgrade logwatch to the latest version.

You could also view the log entries directly without logwatch, extracting the relevant information from /var/log/secure:

#!/bin/sh LOGFILE=/var/log/secure echo 'Unauthorized sudo attempts:' egrep 'sudo: .* : command not allowed' $LOGFILE \      | sed 's/^.* sudo: \([^ ][^ ]*\) .* ; USER=\([^ ][^ ]*\) ; COMMAND=\(.*\)$/\1 (\2): \3/'

Output:

Unauthorized sudo attempts: smith (root): /usr/bin/passwd root smith (root): /bin/rm -f /etc/group smith (root): /bin/chmod 4755 /bin/sh

5.16.4 See Also

logwatch(8). The logwatch home page is http://www.logwatch.org.

Previous page
Table of content
Next page
Linux Security Cookbook
Linux Security Cookbook
ISBN: 0596003919
EAN: 2147483647
Year: 2006
Pages: 247
Authors: Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes
BUY ON AMAZON
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
A+ Fast Pass
The CISSP and CAP Prep Guide: Platinum Edition
Oracle Developer Forms Techniques
Special Edition Using Crystal Reports 10
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy