This incident will be reported - Security & Cryptography
I always though this would be some legacy unused feature of sudo(1), thinking that you had to read some dark parts of /var/log/secure logs (something nobody ever does)...

But I shit you not, this happened today:

[Image: had.png]

I felt... betrayed! THIS IS ACTUALLY REPORTED!
Quote:root is not in the sudoers file. This incident will be reported.
I've always wondered, why root is added by default to the sudoers file?

Quote:sudoers can log both successful and unsuccessful attempts (as well as errors) to
syslog(3), a log file, or both. By default, sudoers will log via syslog(3) but
this is changeable via the syslog and logfile Defaults setting
And in auth.log
Jul  3 12:07:40 computer sudo:     root : user NOT in sudoers ; TTY=pts/30 ; PWD=/home/patrick ; USER=root ; COMMAND=t

It's your syslog implementation (for me here it's rsyslog) configuration that is forwarding it by email, it might not be default on all systems.
(03-07-2017, 06:14 AM)venam Wrote: I've always wondered, why root is added by default to the sudoers file?
I've found the answer to my question in a thread regarding `doas`.

Here it is:

In summary, root cannot run sudo/doas by default if it's not specified in the file, which is inconvenient for some tasks.
Can someone elaborate what was happening?
From my understanding z3bra wanted to run `sudo lsblk /dev/sda` as root, which was prohibited?
(07-07-2017, 05:13 AM)r4ndom Wrote: Can someone elaborate what was happening?

Code: > sudo lsblk
user NOT in sudoers
This action is going to be reported (or something similar)

He's just pointing out that he didn't realize it would actually be reported somewhere (syslog -> email).

Members  |  Stats  |  Night Mode