###########################################################################
# $Id$
###########################################################################
# $Log: sudo,v $
# Revision 1.15 2011/01/06 15:36:02 stefan
# added: Conversation failed with
#
# Revision 1.14 2008/03/24 23:31:27 kirk
# added copyright/license notice to each script
#
# Revision 1.13 2007/11/25 20:07:49 bjorn
# Filtering a pam_unix message, by Ivana Varekova.
#
# Revision 1.12 2007/09/02 01:36:21 mrc
# - Patch to allow dot (.) in user names from Matthew Joyce
#
# Revision 1.11 2006/04/12 23:17:09 bjorn
# Added %OtherList, and handles some errors.
#
###########################################################################
###########################################################################
# sudo: A logwatch script to collate and format sudo log entries from
# the secure log. Entries are broken down by the user who issued
# the command, and further by the effective user of the command.
#
# Detail Levels:
# 0: Just print the command
# 20: Include the current directory when the command was executed
# (on a separate line)
# 30: Include the TTY on the directory line
###########################################################################
#######################################################
## Copyright (c) 2008 Kirk Bauer
## Covered under the included MIT/X-Consortium License:
## http://www.opensource.org/licenses/mit-license.php
## All modifications and contributions by other persons to
## this script are assumed to have been donated to the
## Logwatch project and thus assume the above copyright
## and licensing terms. If you want to make contributions
## under your own copyright or a different license this
## must be explicitly stated in the contribution an the
## Logwatch project reserves the right to not accept such
## contributions. If you have made significant
## contributions to this script and want to claim
## copyright please contact logwatch-devel@lists.sourceforge.net.
#########################################################
use strict;
my %OtherList;
my ($Debug, $Detail, %byUser, %byUserSum);
my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0;
my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
# maximum number of commands user ran to display at low detail
my $CmdsThresh = $ENV{'command_run_threshold'} || 0;
my %IgnoreCmds;
my ($user, $error, $tty, $dir, $euser, $cmd, $args);
my (%ConFailed);
my $contlines = 0;
my $argsprinted = 0;
if (defined($ENV{'ignore_commands'})) {
foreach my $entry (split(',',$ENV{'ignore_commands'})) {
$entry =~ s/['"]//g;
my ($from_user,$to_user,$cmd) = split(';',$entry);
push(@{$IgnoreCmds{$from_user}{$to_user}},$cmd);
}
}
while (defined(my $ThisLine = <STDIN>)) {
if ($ThisLine =~ /pam_unix\(sudo:auth\): authentication failure; logname=\S* uid=[0-9]* euid=[0-9]* tty=\S* ruser=\S* rhost=\S* user=\S*/
)
# this log is parsed in pam_unix section
{
# Ignore
} elsif ($ThisLine =~ /pam_unix\(sudo:session\): session (opened|closed) for user \S+/) {
# handled in pam_unix
} elsif ($ThisLine =~ /pam_unix\(sudo:auth\): auth could not identify password for/) {
# handled in pam_unix
} elsif ($ThisLine =~ /pam_sss\(sudo:auth\): authentication success/) {
# Ignore
} elsif ($ThisLine =~ /(.+): conversation failed/) {
$ConFailed{$1}++;
} elsif ( ($user, $error, $tty, $dir, $euser, $cmd, $args) = $ThisLine =~ m/^\s*(\S+) : (.*; )?TTY=(\S+) ; PWD=(.*?) ; USER=(\S+) ; COMMAND=(\S+)( ?.*)/) {
next if (defined($IgnoreCmds{$user}{$euser}) && $cmd =~ join("|",@{$IgnoreCmds{$user}{$euser}}));
next if (defined($IgnoreCmds{'any'}{$euser}) && $cmd =~ join("|",@{$IgnoreCmds{'any'}{$euser}}));
push @{$byUser{$user}{$euser}}, [$error . $cmd, $args, $dir, $tty];
$byUserSum{$user}{$euser}{$cmd} += 1;
} elsif ( ($user,$euser) = $ThisLine =~ /^\s*(\S+) : no passwd entry for (\S+)\!$/) {
push @{$byUser{$user}{$euser . " (No such user)"}}, ["No password entry"];
} elsif ( ($user, $error, $tty, $dir, $euser, $cmd, $args) = $ThisLine =~ m/^\s*\S+ : \(command continued\)/) {
$contlines++;
} else {
chomp($ThisLine);
$OtherList{$ThisLine}++;
}
}
foreach my $user (sort keys %byUser) {
foreach my $euser (sort keys %{$byUser{$user}}) {
print "\n$user => $euser\n", "-" x length("$user => $euser"), "\n";
foreach my $cmd (sort keys %{$byUserSum{$user}{$euser}}) {
if ($Detail < 10 && $CmdsThresh <= $byUserSum{$user}{$euser}{$cmd}) {
printf "%-30s - %3i Time(s).\n", $cmd, $byUserSum{$user}{$euser}{$cmd};
} # if $Detail < 10
} # foreach $gcmd
foreach my $row (@{$byUser{$user}{$euser}}) {
if ($Detail >= 10 || $CmdsThresh > $byUserSum{$user}{$euser}{$$row[0]}) {
my ($gcmd, $args, $dir, $tty) = @$row;
my $cmd = "$gcmd$args";
# make long commands easier to read
$cmd =~ s/(?=.{74,})(.{1,74}) /${1} \\\n /g if (length($cmd) > 75);
print "$cmd\n";
if ($Detail >= 20) {
my $ttydetail = "";
$ttydetail = "($tty) " if $Detail >= 30;
print "\t$ttydetail$dir\n";
} # if $Detail >= 20
$argsprinted=1;
} # if $Detail >= 10
} # foreach $row
} # foreach $euser
} # foreach $user
if (keys %ConFailed) {
print "\nConversation failed with:";
print "\n-------------------------";
foreach my $conv (sort keys %ConFailed) {
printf "\n%-30s - %3i Time(s)", $conv, $ConFailed{$conv};
}
print "\n";
}
if($contlines && $argsprinted) {
print "\nThe argument list of some of above commands might be incomplete\n";
}
if (keys %OtherList) {
print "\n\n**Unmatched Entries**";
foreach my $line (sort {$OtherList{$b}<=>$OtherList{$a} } keys %OtherList) {
print "\n $line: $OtherList{$line} Time(s)";
}
}
# vi: shiftwidth=3 tabstop=3 syntax=perl et
# Local Variables:
# mode: perl
# perl-indent-level: 3
# indent-tabs-mode: nil
# End: