|
Packit |
57988d |
###########################################################################
|
|
Packit |
57988d |
# $Id$
|
|
Packit |
57988d |
###########################################################################
|
|
Packit |
57988d |
# $Log: sudo,v $
|
|
Packit |
57988d |
# Revision 1.15 2011/01/06 15:36:02 stefan
|
|
Packit |
57988d |
# added: Conversation failed with
|
|
Packit |
57988d |
#
|
|
Packit |
57988d |
# Revision 1.14 2008/03/24 23:31:27 kirk
|
|
Packit |
57988d |
# added copyright/license notice to each script
|
|
Packit |
57988d |
#
|
|
Packit |
57988d |
# Revision 1.13 2007/11/25 20:07:49 bjorn
|
|
Packit |
57988d |
# Filtering a pam_unix message, by Ivana Varekova.
|
|
Packit |
57988d |
#
|
|
Packit |
57988d |
# Revision 1.12 2007/09/02 01:36:21 mrc
|
|
Packit |
57988d |
# - Patch to allow dot (.) in user names from Matthew Joyce
|
|
Packit |
57988d |
#
|
|
Packit |
57988d |
# Revision 1.11 2006/04/12 23:17:09 bjorn
|
|
Packit |
57988d |
# Added %OtherList, and handles some errors.
|
|
Packit |
57988d |
#
|
|
Packit |
57988d |
###########################################################################
|
|
Packit |
57988d |
|
|
Packit |
57988d |
###########################################################################
|
|
Packit |
57988d |
# sudo: A logwatch script to collate and format sudo log entries from
|
|
Packit |
57988d |
# the secure log. Entries are broken down by the user who issued
|
|
Packit |
57988d |
# the command, and further by the effective user of the command.
|
|
Packit |
57988d |
#
|
|
Packit |
57988d |
# Detail Levels:
|
|
Packit |
57988d |
# 0: Just print the command
|
|
Packit |
57988d |
# 20: Include the current directory when the command was executed
|
|
Packit |
57988d |
# (on a separate line)
|
|
Packit |
57988d |
# 30: Include the TTY on the directory line
|
|
Packit |
57988d |
###########################################################################
|
|
Packit |
57988d |
|
|
Packit |
57988d |
#######################################################
|
|
Packit |
57988d |
## Copyright (c) 2008 Kirk Bauer
|
|
Packit |
57988d |
## Covered under the included MIT/X-Consortium License:
|
|
Packit |
57988d |
## http://www.opensource.org/licenses/mit-license.php
|
|
Packit |
57988d |
## All modifications and contributions by other persons to
|
|
Packit |
57988d |
## this script are assumed to have been donated to the
|
|
Packit |
57988d |
## Logwatch project and thus assume the above copyright
|
|
Packit |
57988d |
## and licensing terms. If you want to make contributions
|
|
Packit |
57988d |
## under your own copyright or a different license this
|
|
Packit |
57988d |
## must be explicitly stated in the contribution an the
|
|
Packit |
57988d |
## Logwatch project reserves the right to not accept such
|
|
Packit |
57988d |
## contributions. If you have made significant
|
|
Packit |
57988d |
## contributions to this script and want to claim
|
|
Packit |
57988d |
## copyright please contact logwatch-devel@lists.sourceforge.net.
|
|
Packit |
57988d |
#########################################################
|
|
Packit |
57988d |
|
|
Packit |
57988d |
use strict;
|
|
Packit |
57988d |
my %OtherList;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
my ($Debug, $Detail, %byUser, %byUserSum);
|
|
Packit |
57988d |
my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0;
|
|
Packit |
57988d |
my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
|
|
Packit |
57988d |
# maximum number of commands user ran to display at low detail
|
|
Packit |
57988d |
my $CmdsThresh = $ENV{'command_run_threshold'} || 0;
|
|
Packit |
57988d |
my %IgnoreCmds;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
my ($user, $error, $tty, $dir, $euser, $cmd, $args);
|
|
Packit |
57988d |
my (%ConFailed);
|
|
Packit |
57988d |
my $contlines = 0;
|
|
Packit |
57988d |
my $argsprinted = 0;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if (defined($ENV{'ignore_commands'})) {
|
|
Packit |
57988d |
foreach my $entry (split(',',$ENV{'ignore_commands'})) {
|
|
Packit |
57988d |
$entry =~ s/['"]//g;
|
|
Packit |
57988d |
my ($from_user,$to_user,$cmd) = split(';',$entry);
|
|
Packit |
57988d |
push(@{$IgnoreCmds{$from_user}{$to_user}},$cmd);
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
while (defined(my $ThisLine = <STDIN>)) {
|
|
Packit |
57988d |
if ($ThisLine =~ /pam_unix\(sudo:auth\): authentication failure; logname=\S* uid=[0-9]* euid=[0-9]* tty=\S* ruser=\S* rhost=\S* user=\S*/
|
|
Packit |
57988d |
)
|
|
Packit |
57988d |
# this log is parsed in pam_unix section
|
|
Packit |
57988d |
{
|
|
Packit |
57988d |
# Ignore
|
|
Packit |
57988d |
} elsif ($ThisLine =~ /pam_unix\(sudo:session\): session (opened|closed) for user \S+/) {
|
|
Packit |
57988d |
# handled in pam_unix
|
|
Packit |
57988d |
} elsif ($ThisLine =~ /pam_unix\(sudo:auth\): auth could not identify password for/) {
|
|
Packit |
57988d |
# handled in pam_unix
|
|
Packit |
57988d |
} elsif ($ThisLine =~ /pam_sss\(sudo:auth\): authentication success/) {
|
|
Packit |
57988d |
# Ignore
|
|
Packit |
57988d |
} elsif ($ThisLine =~ /(.+): conversation failed/) {
|
|
Packit |
57988d |
$ConFailed{$1}++;
|
|
Packit |
57988d |
} elsif ( ($user, $error, $tty, $dir, $euser, $cmd, $args) = $ThisLine =~ m/^\s*(\S+) : (.*; )?TTY=(\S+) ; PWD=(.*?) ; USER=(\S+) ; COMMAND=(\S+)( ?.*)/) {
|
|
Packit |
57988d |
next if (defined($IgnoreCmds{$user}{$euser}) && $cmd =~ join("|",@{$IgnoreCmds{$user}{$euser}}));
|
|
Packit |
57988d |
next if (defined($IgnoreCmds{'any'}{$euser}) && $cmd =~ join("|",@{$IgnoreCmds{'any'}{$euser}}));
|
|
Packit |
57988d |
push @{$byUser{$user}{$euser}}, [$error . $cmd, $args, $dir, $tty];
|
|
Packit |
57988d |
$byUserSum{$user}{$euser}{$cmd} += 1;
|
|
Packit |
57988d |
} elsif ( ($user,$euser) = $ThisLine =~ /^\s*(\S+) : no passwd entry for (\S+)\!$/) {
|
|
Packit |
57988d |
push @{$byUser{$user}{$euser . " (No such user)"}}, ["No password entry"];
|
|
Packit |
57988d |
} elsif ( ($user, $error, $tty, $dir, $euser, $cmd, $args) = $ThisLine =~ m/^\s*\S+ : \(command continued\)/) {
|
|
Packit |
57988d |
$contlines++;
|
|
Packit |
57988d |
} else {
|
|
Packit |
57988d |
chomp($ThisLine);
|
|
Packit |
57988d |
$OtherList{$ThisLine}++;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
foreach my $user (sort keys %byUser) {
|
|
Packit |
57988d |
foreach my $euser (sort keys %{$byUser{$user}}) {
|
|
Packit |
57988d |
print "\n$user => $euser\n", "-" x length("$user => $euser"), "\n";
|
|
Packit |
57988d |
foreach my $cmd (sort keys %{$byUserSum{$user}{$euser}}) {
|
|
Packit |
57988d |
if ($Detail < 10 && $CmdsThresh <= $byUserSum{$user}{$euser}{$cmd}) {
|
|
Packit |
57988d |
printf "%-30s - %3i Time(s).\n", $cmd, $byUserSum{$user}{$euser}{$cmd};
|
|
Packit |
57988d |
} # if $Detail < 10
|
|
Packit |
57988d |
} # foreach $gcmd
|
|
Packit |
57988d |
foreach my $row (@{$byUser{$user}{$euser}}) {
|
|
Packit |
57988d |
if ($Detail >= 10 || $CmdsThresh > $byUserSum{$user}{$euser}{$$row[0]}) {
|
|
Packit |
57988d |
my ($gcmd, $args, $dir, $tty) = @$row;
|
|
Packit |
57988d |
my $cmd = "$gcmd$args";
|
|
Packit |
57988d |
# make long commands easier to read
|
|
Packit |
57988d |
$cmd =~ s/(?=.{74,})(.{1,74}) /${1} \\\n /g if (length($cmd) > 75);
|
|
Packit |
57988d |
print "$cmd\n";
|
|
Packit |
57988d |
if ($Detail >= 20) {
|
|
Packit |
57988d |
my $ttydetail = "";
|
|
Packit |
57988d |
$ttydetail = "($tty) " if $Detail >= 30;
|
|
Packit |
57988d |
print "\t$ttydetail$dir\n";
|
|
Packit |
57988d |
} # if $Detail >= 20
|
|
Packit |
57988d |
$argsprinted=1;
|
|
Packit |
57988d |
} # if $Detail >= 10
|
|
Packit |
57988d |
} # foreach $row
|
|
Packit |
57988d |
} # foreach $euser
|
|
Packit |
57988d |
} # foreach $user
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if (keys %ConFailed) {
|
|
Packit |
57988d |
print "\nConversation failed with:";
|
|
Packit |
57988d |
print "\n-------------------------";
|
|
Packit |
57988d |
foreach my $conv (sort keys %ConFailed) {
|
|
Packit |
57988d |
printf "\n%-30s - %3i Time(s)", $conv, $ConFailed{$conv};
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
print "\n";
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if($contlines && $argsprinted) {
|
|
Packit |
57988d |
print "\nThe argument list of some of above commands might be incomplete\n";
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if (keys %OtherList) {
|
|
Packit |
57988d |
print "\n\n**Unmatched Entries**";
|
|
Packit |
57988d |
foreach my $line (sort {$OtherList{$b}<=>$OtherList{$a} } keys %OtherList) {
|
|
Packit |
57988d |
print "\n $line: $OtherList{$line} Time(s)";
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
|
|
Packit |
57988d |
# vi: shiftwidth=3 tabstop=3 syntax=perl et
|
|
Packit |
57988d |
# Local Variables:
|
|
Packit |
57988d |
# mode: perl
|
|
Packit |
57988d |
# perl-indent-level: 3
|
|
Packit |
57988d |
# indent-tabs-mode: nil
|
|
Packit |
57988d |
# End:
|