Marcin Owsiany
2004-Jun-11 16:43 UTC
[Logcheck-devel] Bug#182992: logcheck-sudo rule still buggy
Package: logcheck-database
Version: 1.2.22a
Severity: normal
Followup-For: Bug #182992
The following rule:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: [ \t]* [_[:alnum:]-]+ :
TTY=(unknown|pts/[0-9]+) ; PWD=[^ ]+ ; USER=[^ ]+ ;
COMMAND=/(usr|etc|bin|sbin)/.*$
should read:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[ \t]+[_[:alnum:]-]+ :
TTY=(unknown|pts/[0-9]+) ; PWD=[^ ]+ ; USER=[^ ]+ ;
COMMAND=/(usr|etc|bin|sbin)/.*$
Otherwise it does not match such messages:
Jun 11 18:21:29 melina sudo: porridge : TTY=pts/5 ; PWD=/usr/share/doc/logcheck
; USER=root ; COMMAND=/usr/sbin/logcheck
(note there is only a single whitespace character between "sudo:" and
"porridge")
Another thing which I don't understand is why successful sudo usage (by
user authorized to do so) is regarded security violation at all, unless
the command is in /(usr|etc|bin|sbin).
It looks as if there is some kind of assumption that commands installed
in /(usr|etc|bin|sbin) are somehow "safer" than for example stuff in
user's $HOME. I don't think assumption is justified.
Why not just drop that bit and make it "COMMAND=.*$" ?
Marcin
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.4.24-1-k7
Locale: LANG=pl_PL, LC_CTYPE=pl_PL
Versions of packages logcheck-database depends on:
ii debconf [debconf-2.0] 1.4.28 Debian configuration management sy
-- debconf information:
logcheck-database/conffile-cleanup: false
* logcheck-database/rules-directories-note:
logcheck-database/standard-rename-note:
maks attems
2004-Jun-12 10:32 UTC
Bug#182992: [Logcheck-devel] Bug#182992: logcheck-sudo rule still buggy
On Fri, 11 Jun 2004, Marcin Owsiany wrote:> The following rule: > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: [ \t]* [_[:alnum:]-]+ : TTY=(unknown|pts/[0-9]+) ; PWD=[^ ]+ ; USER=[^ ]+ ; COMMAND=/(usr|etc|bin|sbin)/.*$ > > should read: > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[ \t]+[_[:alnum:]-]+ : TTY=(unknown|pts/[0-9]+) ; PWD=[^ ]+ ; USER=[^ ]+ ; COMMAND=/(usr|etc|bin|sbin)/.*$thanks for the white space fixes, tested and commited to logcheck cvs. ..> Another thing which I don't understand is why successful sudo usage (by > user authorized to do so) is regarded security violation at all, unless > the command is in /(usr|etc|bin|sbin). > > It looks as if there is some kind of assumption that commands installed > in /(usr|etc|bin|sbin) are somehow "safer" than for example stuff in > user's $HOME. I don't think assumption is justified. > > Why not just drop that bit and make it "COMMAND=.*$" ?you might want do that in a rule in local-sudoj anyway why should one issue a sudo for a executable in its $HOME? i find aboves rule a good compromise between annoying logcheck users with all sudo commands and the desire of auditing sudo commands. please tailor it on your site to your own policy. best regards maks -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040612/a9dba1e6/attachment.pgp