tags 290195 pending
thanks
On Thu, 13 Jan 2005, Geoff Crompton wrote:
> It seems when someone runs a sudo command on my system, logcheck misses
> it.
> The second line of /etc/logcheck/violations.d/sudo matches them, but
> the /etc/logcheck/violations.ignore.d/logcheck-sudo kills them.
before logcheck reported all sudo uses,
now out of the box we don't report if he uses cmds out of /bin, /sbin
or /usr/{,s}bin
it is left up to the admin to fintune that rule,
in order to match his needs.
> Furthermore, when users run commands like '$ sudo rm *' in a directory
> with lots of files, we reports with lines like:
> Jan 13 09:42:34 localhost sudo: root : (command continued)
> ./munin/munin-node.log.2.gz ./munin/munin-node.log.1.gz
>
> Can this be changed to one of the following scenarios:
> a) sudo command is reported, and the (command continued) lines are also.
> b) sudo command is reported, but (command continued) lines are not.
> c) neither sudo command is reported, nor the (command continued) lines.
ok thanks hadn't seen that logline yet.
the continued lines will be ignored.
> I've included a rule to ignore the command continued:
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: +\w+ : \(command continued\).*$
good, but user may have '_-' in their usernames, spaces..
what about that:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:]-]+ :
\(command continued\).*$
added to current logcheck cvs.
thanks for your feedback.
--
maks
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
