See a report of all unauthorized sudo attempts.
Use logwatch: [Recipe 9.36]
# logwatch --print --service sudo --range all smith => root ------------- /usr/bin/passwd root /bin/rm -f /etc/group /bin/chmod 4755 /bin/sh
If logwatch complains that the script /etc/log.d/scripts/services/sudo cannot be found, upgrade logwatch to the latest version.
You could also view the log entries directly without logwatch, extracting the relevant information from /var/log/secure:
#!/bin/sh LOGFILE=/var/log/secure echo 'Unauthorized sudo attempts:' egrep 'sudo: .* : command not allowed' $LOGFILE \ | sed 's/^.* sudo: \([^ ][^ ]*\) .* ; USER=\([^ ][^ ]*\) ; COMMAND=\(.*\)$/\1 (\2): \3/'
Output:
Unauthorized sudo attempts: smith (root): /usr/bin/passwd root smith (root): /bin/rm -f /etc/group smith (root): /bin/chmod 4755 /bin/sh
logwatch(8). The logwatch home page is http://www.logwatch.org.