/usr/share/logwatch/scripts/services/sudo is in logwatch 7.4.1-2.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 | #!/usr/bin/perl
###########################################################################
# $Id: sudo 150 2013-06-18 22:19:38Z mtremaine $
###########################################################################
# $Log: sudo,v $
# Revision 1.15 2011/01/06 15:36:02 stefan
# added: Conversation failed with
#
# Revision 1.14 2008/03/24 23:31:27 kirk
# added copyright/license notice to each script
#
# Revision 1.13 2007/11/25 20:07:49 bjorn
# Filtering a pam_unix message, by Ivana Varekova.
#
# Revision 1.12 2007/09/02 01:36:21 mrc
# - Patch to allow dot (.) in user names from Matthew Joyce
#
# Revision 1.11 2006/04/12 23:17:09 bjorn
# Added %OtherList, and handles some errors.
#
###########################################################################
###########################################################################
# sudo: A logwatch script to collate and format sudo log entries from
# the secure log. Entries are broken down by the user who issued
# the command, and further by the effective user of the command.
#
# Detail Levels:
# 0: Just print the command
# 20: Include the current directory when the command was executed
# (on a separate line)
# 30: Include the TTY on the directory line
###########################################################################
#######################################################
## Copyright (c) 2008 Kirk Bauer
## Covered under the included MIT/X-Consortium License:
## http://www.opensource.org/licenses/mit-license.php
## All modifications and contributions by other persons to
## this script are assumed to have been donated to the
## Logwatch project and thus assume the above copyright
## and licensing terms. If you want to make contributions
## under your own copyright or a different license this
## must be explicitly stated in the contribution an the
## Logwatch project reserves the right to not accept such
## contributions. If you have made significant
## contributions to this script and want to claim
## copyright please contact logwatch-devel@lists.sourceforge.net.
#########################################################
use strict;
my %OtherList;
my ($Debug, $Detail, %byUser, %byUserSum);
my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0;
my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
# maximum number of commands user ran to display at low detail
my $CmdsThresh = $ENV{'command_run_threshold'} || 0;
my ($user, $error, $tty, $dir, $euser, $cmd, $args);
my (%ConFailed);
my $contlines = 0;
my $argsprinted = 0;
while (defined(my $ThisLine = <STDIN>)) {
if ($ThisLine =~ /pam_unix\(sudo:auth\): authentication failure; logname=\S* uid=[0-9]* euid=[0-9]* tty=\S* ruser=\S* rhost=\S* user=\S*/
)
# this log is parsed in pam_unix section
{
# Ignore
} elsif ($ThisLine =~ /pam_unix\(sudo:session\): session (opened|closed) for user \S+/) {
# handled in pam_unix
} elsif ($ThisLine =~ /pam_unix\(sudo:auth\): auth could not identify password for/) {
# handled in pam_unix
} elsif ($ThisLine =~ /(.+): conversation failed/) {
$ConFailed{$1}++;
} elsif ( ($user, $error, $tty, $dir, $euser, $cmd, $args) = $ThisLine =~ m/^\s*(\S+) : (.*; )?TTY=(\S+) ; PWD=(.*?) ; USER=(\S+) ; COMMAND=(\S+)( ?.*)/) {
push @{$byUser{$user}{$euser}}, [$error . $cmd,$args, $dir, $tty];
$byUserSum{$user}{$euser}{$cmd} += 1;
} elsif ( ($user,$euser) = $ThisLine =~ /^\s*(\S+) : no passwd entry for (\S+)\!$/) {
push @{$byUser{$user}{$euser . " (No such user)"}}, ["No password entry"];
} elsif ( ($user, $error, $tty, $dir, $euser, $cmd, $args) = $ThisLine =~ m/^\s*\S+ : \(command continued\)/) {
$contlines++;
} else {
chomp($ThisLine);
$OtherList{$ThisLine}++;
}
}
foreach my $user (sort keys %byUser) {
foreach my $euser (sort keys %{$byUser{$user}}) {
print "\n$user => $euser\n", "-" x length("$user => $euser"), "\n";
foreach my $cmd (sort keys %{$byUserSum{$user}{$euser}}) {
if ($Detail < 10 && $CmdsThresh <= $byUserSum{$user}{$euser}{$cmd}) {
printf "%-30s - %3i Time(s).\n", $cmd, $byUserSum{$user}{$euser}{$cmd};
} # if $Detail < 10
} # foreach $gcmd
foreach my $row (@{$byUser{$user}{$euser}}) {
if ($Detail >= 10 || $CmdsThresh > $byUserSum{$user}{$euser}{$$row[0]}) {
my ($gcmd,$args, $dir, $tty) = @$row;
my $cmd = "$gcmd$args";
# make long commands easier to read
$cmd =~ s/(?=.{74,})(.{1,74}) /${1} \\\n /g if (length($cmd) > 75);
print "$cmd\n";
if ($Detail >= 20) {
my $ttydetail = "";
$ttydetail = "($tty) " if $Detail >= 30;
print "\t$ttydetail$dir\n";
} # if $Detail >= 20
$argsprinted=1;
} # if $Detail >= 10
} # foreach $row
} # foreach $euser
} # foreach $user
if (keys %ConFailed) {
print "\nConversation failed with:";
print "\n-------------------------";
foreach my $conv (sort keys %ConFailed) {
printf "\n%-30s - %3i Time(s)", $conv, $ConFailed{$conv};
}
print "\n";
}
if($contlines && $argsprinted) {
print "\nThe argument list of some of above commands might be incomplete\n";
}
if (keys %OtherList) {
print "\n\n**Unmatched Entries**";
foreach my $line (sort {$OtherList{$b}<=>$OtherList{$a} } keys %OtherList) {
print "\n $line: $OtherList{$line} Time(s)";
}
}
# vi: shiftwidth=3 tabstop=3 syntax=perl et
# Local Variables:
# mode: perl
# perl-indent-level: 3
# indent-tabs-mode: nil
# End:
|