[Logcheck-devel] Bug#182992: logcheck-sudo rule still buggy

Marcin Owsiany porridge at debian.org
Fri Jun 11 16:43:06 UTC 2004


Package: logcheck-database
Version: 1.2.22a
Severity: normal
Followup-For: Bug #182992

The following rule:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: [ \t]* [_[:alnum:]-]+ : TTY=(unknown|pts/[0-9]+) ; PWD=[^ ]+ ; USER=[^ ]+ ; COMMAND=/(usr|etc|bin|sbin)/.*$

should read:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[ \t]+[_[:alnum:]-]+ : TTY=(unknown|pts/[0-9]+) ; PWD=[^ ]+ ; USER=[^ ]+ ; COMMAND=/(usr|etc|bin|sbin)/.*$

Otherwise it does not match such messages:

Jun 11 18:21:29 melina sudo: porridge : TTY=pts/5 ; PWD=/usr/share/doc/logcheck ; USER=root ; COMMAND=/usr/sbin/logcheck

(note there is only a single whitespace character between "sudo:" and "porridge")

Another thing which I don't understand is why successful sudo usage (by
user authorized to do so) is regarded security violation at all, unless
the command is in /(usr|etc|bin|sbin).

It looks as if there is some kind of assumption that commands installed
in /(usr|etc|bin|sbin) are somehow "safer" than for example stuff in
user's $HOME. I don't think assumption is justified.

Why not just drop that bit and make it "COMMAND=.*$" ?

Marcin

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.4.24-1-k7
Locale: LANG=pl_PL, LC_CTYPE=pl_PL

Versions of packages logcheck-database depends on:
ii  debconf [debconf-2.0]         1.4.28     Debian configuration management sy

-- debconf information:
  logcheck-database/conffile-cleanup: false
* logcheck-database/rules-directories-note:
  logcheck-database/standard-rename-note:





More information about the Logcheck-devel mailing list