Bug#316167: [Logcheck-devel] Bug#316167: logcheck-database: ignore on sudo doesn't belong in violations.ignore.d

[maximilian attems]

On Sat, 02 Jul 2005, Stephen Gran wrote:

> This one time, at band camp, maximilian attems said:
<snipp>
> > no it can't be placed there below, as security events don't have the
> > three level filtering.
> 
> Is that not changeable?  I honestly don't know, not having looked at the
> code for logcheck.  I would have thought that sudo was an expected thing
> on a multi admin machine, and not on (say) a single user desktop.  So
> that is why I was thinking it made sense in a different report level.

afaik ubuntu is using sudo for workstation/desktop and so on.
we had lots of complaint about reporting any sudo command.
we concluded that it is ok for a sudoer to exec some sys bin
and so the rules got crafted like they are.

current logcheck code doesn't have "kicking rules" like in cracking.d 
and in violations.d for the simple system events.


> dpkg should respect the absence of a conffile as well, I would hope.  It
> is supposed to.

ok sorry for the noise.
 
> > i'll wait for a response from your side, but i see not much chance
> > to changing that. 
> 
> If the report level for sudo is wrong (which it doesn't seem to be - it
> seems to be forced thre by the use of violations.d/sudo), then I guess
> it is unfixable with my idea.  If it could be reported as a system event
> rather than a security event, I would love to see it moved.

i'm not sure if it makes sense to craft an kick off dir also for the
three leveled "normal" system events nor to split the violations
in the 3 layers.  not easy stuff your wish.
we need to restructure current dirs as their layout currently
is suboptimal. but i'm not in favour of adding more complexity.

anyway thanks for your feedback.
hope there will find a resolution.

--
maks