########################################################################### # $Id$ ########################################################################### # $Log: sudo,v $ # Revision 1.15 2011/01/06 15:36:02 stefan # added: Conversation failed with # # Revision 1.14 2008/03/24 23:31:27 kirk # added copyright/license notice to each script # # Revision 1.13 2007/11/25 20:07:49 bjorn # Filtering a pam_unix message, by Ivana Varekova. # # Revision 1.12 2007/09/02 01:36:21 mrc # - Patch to allow dot (.) in user names from Matthew Joyce # # Revision 1.11 2006/04/12 23:17:09 bjorn # Added %OtherList, and handles some errors. # ########################################################################### ########################################################################### # sudo: A logwatch script to collate and format sudo log entries from # the secure log. Entries are broken down by the user who issued # the command, and further by the effective user of the command. # # Detail Levels: # 0: Just print the command # 20: Include the current directory when the command was executed # (on a separate line) # 30: Include the TTY on the directory line ########################################################################### ####################################################### ## Copyright (c) 2008 Kirk Bauer ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution an the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@lists.sourceforge.net. ######################################################### use strict; my %OtherList; my ($Debug, $Detail, %byUser, %byUserSum); my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0; my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; # maximum number of commands user ran to display at low detail my $CmdsThresh = $ENV{'command_run_threshold'} || 0; my %IgnoreCmds; my ($user, $error, $tty, $dir, $euser, $cmd, $args); my (%ConFailed); my $contlines = 0; my $argsprinted = 0; if (defined($ENV{'ignore_commands'})) { foreach my $entry (split(',',$ENV{'ignore_commands'})) { $entry =~ s/['"]//g; my ($from_user,$to_user,$cmd) = split(';',$entry); push(@{$IgnoreCmds{$from_user}{$to_user}},$cmd); } } while (defined(my $ThisLine = )) { if ($ThisLine =~ /pam_unix\(sudo:auth\): authentication failure; logname=\S* uid=[0-9]* euid=[0-9]* tty=\S* ruser=\S* rhost=\S* user=\S*/ ) # this log is parsed in pam_unix section { # Ignore } elsif ($ThisLine =~ /pam_unix\(sudo:session\): session (opened|closed) for user \S+/) { # handled in pam_unix } elsif ($ThisLine =~ /pam_unix\(sudo:auth\): auth could not identify password for/) { # handled in pam_unix } elsif ($ThisLine =~ /pam_sss\(sudo:auth\): authentication success/) { # Ignore } elsif ($ThisLine =~ /(.+): conversation failed/) { $ConFailed{$1}++; } elsif ( ($user, $error, $tty, $dir, $euser, $cmd, $args) = $ThisLine =~ m/^\s*(\S+) : (.*; )?TTY=(\S+) ; PWD=(.*?) ; USER=(\S+) ; COMMAND=(\S+)( ?.*)/) { next if (defined($IgnoreCmds{$user}{$euser}) && $cmd =~ join("|",@{$IgnoreCmds{$user}{$euser}})); next if (defined($IgnoreCmds{'any'}{$euser}) && $cmd =~ join("|",@{$IgnoreCmds{'any'}{$euser}})); push @{$byUser{$user}{$euser}}, [$error . $cmd, $args, $dir, $tty]; $byUserSum{$user}{$euser}{$cmd} += 1; } elsif ( ($user,$euser) = $ThisLine =~ /^\s*(\S+) : no passwd entry for (\S+)\!$/) { push @{$byUser{$user}{$euser . " (No such user)"}}, ["No password entry"]; } elsif ( ($user, $error, $tty, $dir, $euser, $cmd, $args) = $ThisLine =~ m/^\s*\S+ : \(command continued\)/) { $contlines++; } else { chomp($ThisLine); $OtherList{$ThisLine}++; } } foreach my $user (sort keys %byUser) { foreach my $euser (sort keys %{$byUser{$user}}) { print "\n$user => $euser\n", "-" x length("$user => $euser"), "\n"; foreach my $cmd (sort keys %{$byUserSum{$user}{$euser}}) { if ($Detail < 10 && $CmdsThresh <= $byUserSum{$user}{$euser}{$cmd}) { printf "%-30s - %3i Time(s).\n", $cmd, $byUserSum{$user}{$euser}{$cmd}; } # if $Detail < 10 } # foreach $gcmd foreach my $row (@{$byUser{$user}{$euser}}) { if ($Detail >= 10 || $CmdsThresh > $byUserSum{$user}{$euser}{$$row[0]}) { my ($gcmd, $args, $dir, $tty) = @$row; my $cmd = "$gcmd$args"; # make long commands easier to read $cmd =~ s/(?=.{74,})(.{1,74}) /${1} \\\n /g if (length($cmd) > 75); print "$cmd\n"; if ($Detail >= 20) { my $ttydetail = ""; $ttydetail = "($tty) " if $Detail >= 30; print "\t$ttydetail$dir\n"; } # if $Detail >= 20 $argsprinted=1; } # if $Detail >= 10 } # foreach $row } # foreach $euser } # foreach $user if (keys %ConFailed) { print "\nConversation failed with:"; print "\n-------------------------"; foreach my $conv (sort keys %ConFailed) { printf "\n%-30s - %3i Time(s)", $conv, $ConFailed{$conv}; } print "\n"; } if($contlines && $argsprinted) { print "\nThe argument list of some of above commands might be incomplete\n"; } if (keys %OtherList) { print "\n\n**Unmatched Entries**"; foreach my $line (sort {$OtherList{$b}<=>$OtherList{$a} } keys %OtherList) { print "\n $line: $OtherList{$line} Time(s)"; } } # vi: shiftwidth=3 tabstop=3 syntax=perl et # Local Variables: # mode: perl # perl-indent-level: 3 # indent-tabs-mode: nil # End: