This incident will be reported

sulekha

whenever an user who is not in /etc/sudoers file issues the sudo command
we will get the following message

" .... is not in the sudoers file. This incident will be reported"


now my question is where does this reporting take place ?

from which file an administrator can know who all tinkered with sudo command ?

Is it /var/log/auth.log file ?



colucix

From the sudo man page:

Code:

If a user who is not listed in the sudoers file tries to run a command via sudo, mail is sent to
the proper authorities, as defined at configure time or in the sudoers file (defaults to root).
Note that the mail will not be sent if an unauthorized user tries to run sudo with the -l or -v
flags. This allows users to determine for themselves whether or not they are allowed to use sudo.

The log file is usually auth.log, as you already stated. You can see some entry like this:

Code: Nov 14 21:09:58 localhost sudo: pippo : user NOT in sudoers ; TTY=pts/1 ; PWD =/home/pippo ; USER=root ; COMMAND=/usr/bin/vi /etc/passwd



Theory is when you know all and nothing works. Practice is when all works and nobody knows why. In this case we have put together theory and practice: nothing works... and nobody knows why! (Albert Einstein)