Where are sudo incidents reported?

linux command-line permissions debian sudo
59,689

Solution 1

Nevermind, I just found the answer in the alt-text at xkcd:

xkcd838

Replace root with your username, in my case ryan, so the log is found with:

cat /var/spool/mail/ryan

Solution 2

The report is sent as an email to the root user. Many Linux distributions will automatically setup an alias for that user directing the mail to the first account created during the install process.

Share:
59,689

Related videos on Youtube

user1717828
Author by

user1717828

Updated on April 10, 2020

Comments

  • user1717828
    user1717828 about 4 years

    Attempting something devious on my machine leads to

    ryan@debian:~$ sudo EAT_ALL_THE_COOKIES_BEFORE_DINNER
[sudo] password for ryan: 
ryan is not in the sudoers file.  This incident will be reported.

    Where is this incident reported, and how do I get the log of all the nasty attempted commands?

  • njsg
    njsg over 11 years
    Shouln't it be root unless there is some forwarding set? The whole point should be that the email is sent to the administrator. Also, sure, once some forwarding is set, you can cat the spool file, but you can also use some mail client, like mail, nail, or something else that supports reading from the local spool (I'd say that this is usually the case except maybe for GUI clients "imported" from the Windows world).
  • dmnc
    dmnc over 9 years
    There's nothing in /var/spool/mail in distributions using systemd (Archlinux in my case). In this case, you can find that report in the journal by using journalctl command. (@shellter - due to closed topic - disagree - I had to post a comment, not another valid answer)
  • simonzack
    simonzack over 9 years
    @dmnc I can confirm this, the journalctl command for this is sudo journalctl /bin/sudo.
  • CJBS
    CJBS about 9 years
    I know this is tagged 'debian', but I came looking for Ubuntu. So for the benefit of others looking for Ubuntu's output log, I found sudo failures in: /var/log/auth.log
  • akshayk07
    akshayk07 almost 5 years
    More specifically, to only see sudo failures in Ubuntu use cat /var/log/auth.log | grep sudoers.
  • Rain
    Rain over 2 years
    @CJBS In Ubuntu under WSL I had to run sudo service rsyslog start to start the logging service.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What is the difference between adding a user to "sudoers" vs "root" group?
Difference between sudo -u and su -c
I need to use sudo for any Hadoop operation, how to change permissions?
no sudo permissions to /etc/hostname
How to add flags and/or arguments to a command in the 'sudoers' file
Sudoers.d Permissions denied
sudo mkdir creates directory as nobody nogroup on mounted directory, then chown not permitted
sudo: /var/lib/sudo writable by non-owner (040777), should be mode 0700
Not able to install *.run file in Ubuntu?
Node modules have 755 permissions, what permissions should I set so that npm don't require sudo?