[Logcheck-devel] sudo violations
maks attems
debian at sternwelten.at
Fri May 14 12:32:21 UTC 2004
hello,
currently any sudo command *) is reported as violation,
our user don't seem to appreciate that much this default.
that results in open bugs: #182992, #192192.
found the following ignore rule that seems quite good,
already using it localy and would like to merge:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: +[_[:alnum]-]+ : TTY=pts/[0-9]+ ; PWD=[^ ]+ ; USER=root ; COMMAND=/(usr|etc|bin|sbin)/.*$
for shure it would be nice to just ignore some of your user above,
but anyhow perhaps that should be better done with /etc/sudoers.
so normal sudo operation wouldn't be reported but a
$ sudo /var/tmp/adore
would be.
please comment if aboves rule is too or not enough strict!?
or wave hands that _any_ sudo command should be reported.
a++ maks
*) well we ignore currently commands without any space like
$ sudo less
that seems quite useless.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040514/eb6a0fdd/attachment.pgp
More information about the Logcheck-devel
mailing list