Bug#182992: [Logcheck-devel] Bug#182992: logcheck-sudo rule still buggy

maks attems debian at sternwelten.at
Sat Jun 12 10:32:05 UTC 2004


On Fri, 11 Jun 2004, Marcin Owsiany wrote:

> The following rule:
> 
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: [ \t]* [_[:alnum:]-]+ : TTY=(unknown|pts/[0-9]+) ; PWD=[^ ]+ ; USER=[^ ]+ ; COMMAND=/(usr|etc|bin|sbin)/.*$
> 
> should read:
> 
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[ \t]+[_[:alnum:]-]+ : TTY=(unknown|pts/[0-9]+) ; PWD=[^ ]+ ; USER=[^ ]+ ; COMMAND=/(usr|etc|bin|sbin)/.*$

thanks for the white space fixes, tested and commited to logcheck cvs.
 
..
> Another thing which I don't understand is why successful sudo usage (by
> user authorized to do so) is regarded security violation at all, unless
> the command is in /(usr|etc|bin|sbin).
> 
> It looks as if there is some kind of assumption that commands installed
> in /(usr|etc|bin|sbin) are somehow "safer" than for example stuff in
> user's $HOME. I don't think assumption is justified.
> 
> Why not just drop that bit and make it "COMMAND=.*$" ?

you might want do that in a rule in local-sudoj
anyway why should one issue a sudo for a executable in its $HOME?
i find aboves rule a good compromise between annoying logcheck users
with all sudo commands and the desire of auditing sudo commands.
please tailor it on your site to your own policy.

best regards 
maks

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040612/a9dba1e6/attachment.pgp 


More information about the Logcheck-devel mailing list