Recipe 5.16 Listing sudo Invocations

5.16.1 Problem

See a report of all unauthorized sudo attempts.

5.16.2 Solution

Use logwatch: [Recipe 9.36]

# logwatch --print --service sudo --range all
smith => root
/usr/bin/passwd root
/bin/rm -f /etc/group
/bin/chmod 4755 /bin/sh

5.16.3 Discussion

If logwatch complains that the script /etc/log.d/scripts/services/sudo cannot be found, upgrade logwatch to the latest version.

You could also view the log entries directly without logwatch, extracting the relevant information from /var/log/secure:

echo 'Unauthorized sudo attempts:'
egrep 'sudo: .* : command not allowed' $LOGFILE \
     | sed 's/^.* sudo: \([^ ][^ ]*\) .* ; USER=\([^ ][^ ]*\) ; COMMAND=\(.*\)$/\1 (\2): \3/'


Unauthorized sudo attempts:
smith (root): /usr/bin/passwd root
smith (root): /bin/rm -f /etc/group
smith (root): /bin/chmod 4755 /bin/sh

5.16.4 See Also

logwatch(8). The logwatch home page is

    Chapter 9. Testing and Monitoring