Bug#316167: [Logcheck-devel] Bug#316167: logcheck-database: ignore on sudo doesn't belong in violations.ignore.d

Stephen Gran sgran at debian.org
Sat Jul 2 13:04:38 UTC 2005 

This one time, at band camp, maximilian attems said:
> hello stephen,
> 
> On Tue, 28 Jun 2005, Stephen Gran wrote:
> 
> > I would like to be able to selectively ignore sudo on some systems
> > and not on others without being forced to just rm a conffile.  The file
> > /etc/logcheck/violations.ignore.d/logcheck-sudo (ISTM) is better placed
> > in /etc/logcheck/ignore.d.server.  THat way, a paranoid installation
> > would still see them, but a normal one wouldn't have to.
> 
> no it can't be placed there below, as security events don't have the
> three level filtering.

Is that not changeable?  I honestly don't know, not having looked at the
code for logcheck.  I would have thought that sudo was an expected thing
on a multi admin machine, and not on (say) a single user desktop.  So
that is why I was thinking it made sense in a different report level.

> easier than removing would be for your side to change it's regex so
> that it doesn't match any more sudo log lines.
> because otherwise you'll have to redo that on each upgrade.
> and so you'll get asked if you want to revert your change.

dpkg should respect the absence of a conffile as well, I would hope.  It
is supposed to.

> this rule was added through popular request (see changelog for bug nr).
> if you give some of your users sudo access take care what you give them.

I see several bugs relating to regex problems in the sudo ignore, but
not about the placement of the sudo ignore.

> i'll wait for a response from your side, but i see not much chance
> to changing that. 

If the report level for sudo is wrong (which it doesn't seem to be - it
seems to be forced thre by the use of violations.d/sudo), then I guess
it is unfixable with my idea.  If it could be reported as a system event
rather than a security event, I would love to see it moved.

Thanks,
-- 
 -----------------------------------------------------------------
|   ,''`.					     Stephen Gran |
|  : :' :					 sgran at debian.org |
|  `. `'			Debian user, admin, and developer |
|    `-					    http://www.debian.org |
 -----------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20050702/fd76b94a/attachment.pgp

More information about the Logcheck-devel mailing list