Package: logcheck
Version: 1.3.17
Severity: wishlist
Tags: patch
Currently logcheck thinks
"sudo -u nobody pwd" is OK,
"sudo -g nogroup pwd" is scary; and
"sudo -u nobody -g nogroup pwd" is scary.
IMO either these are all OK, or all scary --- probably the former.
Here is an (untested) patch against current logcheck;
I've been using a variation on oldoldstable systems for a while.
diff --git a/rulefiles/linux/violations.ignore.d/logcheck-sudo
b/rulefiles/linux/violations.ignore.d/logcheck-sudo
index 92c3dd4..274ed83 100644
--- a/rulefiles/linux/violations.ignore.d/logcheck-sudo
+++ b/rulefiles/linux/violations.ignore.d/logcheck-sudo
@@ -1,5 +1,5 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo: pam_krb5\(sudo:auth\): user
[[:alnum:]-]+ authenticated as [[:alnum:]-]+@[.A-Z]+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ :
TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ;
USER=[._[:alnum:]-]+ ; COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ :
TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ (;
(USER|GROUP)=[._[:alnum:]-]+ )+; COMMAND=((/(usr|etc|bin|sbin)/|sudoedit
).*|list)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ :
\(command continued\).*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\):
session opened for user [[:alnum:]-]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\):
session closed for user [[:alnum:]-]+$
