Bug#290195: [Logcheck-devel] Bug#290195: violations.d/sudo and violations.ignore.d/logcheck-sudo missing sudo log entries

[maximilian attems]

tags 290195 pending
thanks

On Thu, 13 Jan 2005, Geoff Crompton wrote:

> It seems when someone runs a sudo command on my system, logcheck misses
> it.
> The second line of /etc/logcheck/violations.d/sudo matches them, but 
> the /etc/logcheck/violations.ignore.d/logcheck-sudo kills them.

before logcheck reported all sudo uses,
now out of the box we don't report if he uses cmds out of /bin, /sbin
or /usr/{,s}bin

it is left up to the admin to fintune that rule,
in order to match his needs.
 
> Furthermore, when users run commands like '$ sudo rm *' in a directory
> with lots of files, we reports with lines like:
> Jan 13 09:42:34 localhost sudo:     root : (command continued)
> ./munin/munin-node.log.2.gz ./munin/munin-node.log.1.gz
> 
> Can this be changed to one of the following scenarios:
> a) sudo command is reported, and the (command continued) lines are also.
> b) sudo command is reported, but (command continued) lines are not.
> c) neither sudo command is reported, nor the (command continued) lines.

ok thanks hadn't seen that logline yet.
the continued lines will be ignored.
 
> I've included a rule to ignore the command continued:
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: +\w+ : \(command continued\).*$
good, but user may have '_-' in their usernames, spaces..
what about that:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:]-]+ :
\(command continued\).*$

added to current logcheck cvs.
thanks for your feedback.

--
maks