плагин политики безопасности sudo по умолчанию (default sudo security policy plugin)
LOG FORMAT
sudoers can log events in either JSON or sudo format, this section
describes the sudo log format. Depending on sudoers configuration,
sudoers can log events via syslog(3), to a local log file, or both.
The log format is almost identical in both cases.
Accepted command log entries
Commands that sudo runs are logged using the following format
(split into multiple lines for readability):
date hostname progname: username : TTY=ttyname ; PWD=cwd ; \
USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \
ENV=env_vars COMMAND=command
Where the fields are as follows:
date The date the command was run. Typically, this is in
the format 'MMM, DD, HH:MM:SS'. If logging via
syslog(3), the actual date format is controlled by
the syslog daemon. If logging to a file and the
log_year option is enabled, the date will also
include the year.
hostname The name of the host sudo was run on. This field is
only present when logging via syslog(3).
progname The name of the program, usually sudo or sudoedit.
This field is only present when logging via
syslog(3).
username The login name of the user who ran sudo.
ttyname The short name of the terminal (e.g., 'console',
'tty01', or 'pts/0') sudo was run on, or 'unknown' if
there was no terminal present.
cwd The current working directory that sudo was run in.
runasuser The user the command was run as.
runasgroup The group the command was run as if one was specified
on the command line.
logid An I/O log identifier that can be used to replay the
command's output. This is only present when the
log_input or log_output option is enabled.
env_vars A list of environment variables specified on the
command line, if specified.
command The actual command that was executed.
Messages are logged using the locale specified by sudoers_locale,
which defaults to the 'C' locale.
Denied command log entries
If the user is not allowed to run the command, the reason for the
denial will follow the user name. Possible reasons include:
user NOT in sudoers
The user is not listed in the sudoers file.
user NOT authorized on host
The user is listed in the sudoers file but is not allowed to run
commands on the host.
command not allowed
The user is listed in the sudoers file for the host but they are
not allowed to run the specified command.
3 incorrect password attempts
The user failed to enter their password after 3 tries. The
actual number of tries will vary based on the number of failed
attempts and the value of the passwd_tries option.
a password is required
The -n option was specified but a password was required.
sorry, you are not allowed to set the following environment
variables
The user specified environment variables on the command line that
were not allowed by sudoers.
Error log entries
If an error occurs, sudoers will log a message and, in most cases,
send a message to the administrator via email. Possible errors
include:
parse error in /etc/sudoers near line N
sudoers encountered an error when parsing the specified file. In
some cases, the actual error may be one line above or below the
line number listed, depending on the type of error.
problem with defaults entries
The sudoers file contains one or more unknown Defaults settings.
This does not prevent sudo from running, but the sudoers file
should be checked using visudo.
timestamp owner (username): No such user
The time stamp directory owner, as specified by the
timestampowner setting, could not be found in the password
database.
unable to open/read /etc/sudoers
The sudoers file could not be opened for reading. This can
happen when the sudoers file is located on a remote file system
that maps user-ID 0 to a different value. Normally, sudoers
tries to open the sudoers file using group permissions to avoid
this problem. Consider either changing the ownership of
/etc/sudoers or adding an argument like 'sudoers_uid=N' (where
'N' is the user-ID that owns the sudoers file) to the end of the
sudoers Plugin line in the sudo.conf(5) file.
unable to stat /etc/sudoers
The /etc/sudoers file is missing.
/etc/sudoers is not a regular file
The /etc/sudoers file exists but is not a regular file or
symbolic link.
/etc/sudoers is owned by uid N, should be 0
The sudoers file has the wrong owner. If you wish to change the
sudoers file owner, please add 'sudoers_uid=N' (where 'N' is the
user-ID that owns the sudoers file) to the sudoers Plugin line in
the sudo.conf(5) file.
/etc/sudoers is world writable
The permissions on the sudoers file allow all users to write to
it. The sudoers file must not be world-writable, the default
file mode is 0440 (readable by owner and group, writable by
none). The default mode may be changed via the 'sudoers_mode'
option to the sudoers Plugin line in the sudo.conf(5) file.
/etc/sudoers is owned by gid N, should be 1
The sudoers file has the wrong group ownership. If you wish to
change the sudoers file group ownership, please add
'sudoers_gid=N' (where 'N' is the group-ID that owns the sudoers
file) to the sudoers Plugin line in the sudo.conf(5) file.
unable to open /run/sudo/ts/username
sudoers was unable to read or create the user's time stamp file.
This can happen when timestampowner is set to a user other than
root and the mode on /run/sudo is not searchable by group or
other. The default mode for /run/sudo is 0711.
unable to write to /run/sudo/ts/username
sudoers was unable to write to the user's time stamp file.
/run/sudo/ts is owned by uid X, should be Y
The time stamp directory is owned by a user other than
timestampowner. This can occur when the value of timestampowner
has been changed. sudoers will ignore the time stamp directory
until the owner is corrected.
/run/sudo/ts is group writable
The time stamp directory is group-writable; it should be writable
only by timestampowner. The default mode for the time stamp
directory is 0700. sudoers will ignore the time stamp directory
until the mode is corrected.
Notes on logging via syslog
By default, sudoers logs messages via syslog(3). The date,
hostname, and progname fields are added by the system's syslog()
function, not sudoers itself. As such, they may vary in format on
different systems.
The maximum size of syslog messages varies from system to system.
The syslog_maxlen setting can be used to change the maximum syslog
message size from the default value of 980 bytes. For more
information, see the description of syslog_maxlen.
Notes on logging to a file
If the logfile option is set, sudoers will log to a local file,
such as /var/log/sudo. When logging to a file, sudoers uses a
format similar to syslog(3), with a few important differences:
1. The progname and hostname fields are not present.
2. If the log_year option is enabled, the date will also include
the year.
3. Lines that are longer than loglinelen characters (80 by
default) are word-wrapped and continued on the next line with
a four character indent. This makes entries easier to read
for a human being, but makes it more difficult to use grep(1)
on the log files. If the loglinelen option is set to 0 (or
negated with a '!'), word wrap will be disabled.
