This incident will be reported

sulekha · 11-14-2008, 02:20 PM

Hi all,

whenever an user who is not in /etc/sudoers file issues the sudo command
we will get the following message

" .... is not in the sudoers file. This incident will be reported"

now my question is where does this reporting take place ?

from which file an administrator can know who all tinkered with sudo command ?

Is it /var/log/auth.log file ?

indienick · 11-14-2008, 04:49 PM

It might be - it might also be sent to /var/mail/root.

colucix · 11-14-2008, 05:13 PM

From the sudo man page:

Code:

If a user who is not listed in the sudoers file tries to run a command via sudo, mail is sent to
the proper authorities, as defined at configure time or in the sudoers file (defaults to root).
Note that the mail will not be sent if an unauthorized user tries to run sudo with the -l or -v
flags.  This allows users to determine for themselves whether or not they are allowed to use sudo.

The log file is usually auth.log, as you already stated. You can see some entry like this:

Code:

Nov 14 21:09:58 localhost sudo:    pippo : user NOT in sudoers ; TTY=pts/1 ; PWD =/home/pippo ; USER=root ; COMMAND=/usr/bin/vi /etc/passwd

sulekha · 11-15-2008, 06:47 AM

Quote:

Originally Posted by indienick

It might be - it might also be sent to /var/mail/root.

I tried this: zodiac@ubuntu:~$ cat /var/mail/root

cat: /var/mail/root: No such file or directory

NB: I use ubuntu hardy

repo · 11-15-2008, 07:31 AM

Quote:

I tried this: zodiac@ubuntu:~$ cat /var/mail/root
cat: /var/mail/root: No such file or directory

AFAIK in ubuntu the mail for root is forwarded to a user
This is set in /etc/aliases
You can install logcheck to recieve email allerts when something happens on your system.