Trent W. Buck
2016-Feb-19 01:16 UTC
[Logcheck-devel] Bug#815114: Please whitelist sudo -g nogroup (not just sudo -u nobody)
Package: logcheck
Version: 1.3.17
Severity: wishlist
Tags: patch
Currently logcheck thinks
"sudo -u nobody pwd" is OK,
"sudo -g nogroup pwd" is scary; and
"sudo -u nobody -g nogroup pwd" is scary.
IMO either these are all OK, or all scary --- probably the former.
Here is an (untested) patch against current logcheck;
I've been using a variation on oldoldstable systems for a while.
diff --git a/rulefiles/linux/violations.ignore.d/logcheck-sudo
b/rulefiles/linux/violations.ignore.d/logcheck-sudo
index 92c3dd4..274ed83 100644
--- a/rulefiles/linux/violations.ignore.d/logcheck-sudo
+++ b/rulefiles/linux/violations.ignore.d/logcheck-sudo
@@ -1,5 +1,5 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo: pam_krb5\(sudo:auth\): user
[[:alnum:]-]+ authenticated as [[:alnum:]-]+@[.A-Z]+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ :
TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ;
USER=[._[:alnum:]-]+ ; COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ :
TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ (;
(USER|GROUP)=[._[:alnum:]-]+ )+; COMMAND=((/(usr|etc|bin|sbin)/|sudoedit
).*|list)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : \(command
continued\).*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\):
session opened for user [[:alnum:]-]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\):
session closed for user [[:alnum:]-]+$
Debian Bug Tracking System
2017-Jan-25 22:09 UTC
[Logcheck-devel] Bug#815114: marked as done (Please whitelist sudo -g nogroup (not just sudo -u nobody))
Your message dated Wed, 25 Jan 2017 22:05:37 +0000 with message-id <E1cWVhB-0002we-2G at fasolo.debian.org> and subject line Bug#815114: fixed in logcheck 1.3.18 has caused the Debian Bug report #815114, regarding Please whitelist sudo -g nogroup (not just sudo -u nobody) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 815114: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815114 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: "Trent W. Buck" <trentbuck at gmail.com> Subject: Please whitelist sudo -g nogroup (not just sudo -u nobody) Date: Fri, 19 Feb 2016 12:16:40 +1100 Size: 4831 URL: <http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20170125/f60f01bf/attachment.mht> -------------- next part -------------- An embedded message was scrubbed... From: Hannes von Haugwitz <hannes at vonhaugwitz.com> Subject: Bug#815114: fixed in logcheck 1.3.18 Date: Wed, 25 Jan 2017 22:05:37 +0000 Size: 7742 URL: <http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20170125/f60f01bf/attachment-0001.mht>