Bug#316167: [Logcheck-devel] Bug#316167: logcheck-database: ignore on sudo doesn't belong in violations.ignore.d
Stephen Gran
sgran at debian.org
Sat Jul 2 13:04:38 UTC 2005
This one time, at band camp, maximilian attems said:
> hello stephen,
>
> On Tue, 28 Jun 2005, Stephen Gran wrote:
>
> > I would like to be able to selectively ignore sudo on some systems
> > and not on others without being forced to just rm a conffile. The file
> > /etc/logcheck/violations.ignore.d/logcheck-sudo (ISTM) is better placed
> > in /etc/logcheck/ignore.d.server. THat way, a paranoid installation
> > would still see them, but a normal one wouldn't have to.
>
> no it can't be placed there below, as security events don't have the
> three level filtering.
Is that not changeable? I honestly don't know, not having looked at the
code for logcheck. I would have thought that sudo was an expected thing
on a multi admin machine, and not on (say) a single user desktop. So
that is why I was thinking it made sense in a different report level.
> easier than removing would be for your side to change it's regex so
> that it doesn't match any more sudo log lines.
> because otherwise you'll have to redo that on each upgrade.
> and so you'll get asked if you want to revert your change.
dpkg should respect the absence of a conffile as well, I would hope. It
is supposed to.
> this rule was added through popular request (see changelog for bug nr).
> if you give some of your users sudo access take care what you give them.
I see several bugs relating to regex problems in the sudo ignore, but
not about the placement of the sudo ignore.
> i'll wait for a response from your side, but i see not much chance
> to changing that.
If the report level for sudo is wrong (which it doesn't seem to be - it
seems to be forced thre by the use of violations.d/sudo), then I guess
it is unfixable with my idea. If it could be reported as a system event
rather than a security event, I would love to see it moved.
Thanks,
--
-----------------------------------------------------------------
| ,''`. Stephen Gran |
| : :' : sgran at debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20050702/fd76b94a/attachment.pgp
More information about the Logcheck-devel
mailing list