Bug#1024673: Fix violations.ignore.d/logcheck-sudo (too precise)

Tue, 22 Nov 2022 19:03:14 -0800 

Package: logcheck-database
Version: 1.3.23
Severity: wishlist

This line is wrong in sudo 1.9.4+ (Debian 11+):

    
https://salsa.debian.org/debian/logcheck/-/blob/master/rulefiles/linux/violations.ignore.d/logcheck-sudo#L2

    ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : 
TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; 
USER=[._[:alnum:]-]+( ; GROUP=[._[:alnum:]-]+)? ; 
COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$

For example this real-world log event (compare "ssh X sudo Y" and "ssh X -t 
sudo Y", I think):

    2022-11-23T03:27:25.170510+11:00 obese sudo: zfs-receive : 
PWD=/etc/zfs-receive ; USER=root ; COMMAND=/sbin/zfs receive -F -o 
mountpoint=/srv/backup/light -o canmount=noauto -o readonly=on obese/light

To fix the regexp, *AT LEAST* this change is needed (making TTY= optional):

    -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : 
TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; 
USER=[._[:alnum:]-]+( ; GROUP=[._[:alnum:]-]+)? ; 
COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$
    +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : 
(TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; )?PWD=[^;]+ ; 
USER=[._[:alnum:]-]+( ; GROUP=[._[:alnum:]-]+)? ; 
COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$

However, if you look at the actual source code:

    
https://github.com/sudo-project/sudo/blob/SUDO_1_9_5p2/lib/eventlog/eventlog.c#L60-L68
    
https://github.com/sudo-project/sudo/blob/SUDO_1_9_5p2/lib/eventlog/eventlog.c#L204-L284

You can see that ALL these fields are only included if they are actually set 
("if (details->⋯ != NULL)").

At which point we might as well have something like this:

    -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : 
TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; 
USER=[._[:alnum:]-]+( ; GROUP=[._[:alnum:]-]+)? ; 
COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$
    +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : 
((HOST|TTY|CHROOT|PWD|USER|GROUP|ENV|TSID)=[^ ;]+ ; 
)?COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$

What do you think?

Note that if you want to target Debian 12+, you need to handle 2 more fields, 
"EXIT" and "SIGNAL":

    -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : 
TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; 
USER=[._[:alnum:]-]+( ; GROUP=[._[:alnum:]-]+)? ; 
COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$
    +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : 
((HOST|TTY|CHROOT|PWD|USER|GROUP|ENV|TSID|EXIT|SIGNAL)=[^ ;]+ ; 
)?COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$

PS: another trivial way to confuse existing logcheck is this (missing "ENV="):

        sudo     HOME=/nonexistent id      # logcheck considers this a 
"Security Event"
        sudo env HOME=/nonexistent id      # logcheck considers this harmless

-- System Information:
Debian Release: 11.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.18.0-0.deb11.4-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Reply via email to