prelude-lml 1.0.0-5.3ubuntu2 / etc / prelude-lml / ruleset / sudo.rules

This file is indexed.

/etc/prelude-lml/ruleset/sudo.rules is in prelude-lml 1.0.0-5.3ubuntu2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
#####
#
# Copyright (C) 2004 G Ramon Gomez <gene at gomezbrothers dot com>
# Tyco Fire and Security GTS (www.tycofireandsecurity.com)
# All Rights Reserved
#
# This file is part of the Prelude-LML program.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; see the file COPYING.  If not, write to
# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
#
#####

#####
#
# The rules included here were developed using sudo-1.6.6-3 on Linux.
# Please report any inconsistencies on other versions to G Ramon Gomez at the 
# address provided above
#
#####

#LOG:Feb 11 06:52:09 12.34.56.78 sudo:   cpatel : TTY=pts/0 ; PWD=/etc/rc.d/init.d ; USER=root ; COMMAND=./resin start
regex=(\S+) : TTY=(\S+) \; PWD=(.+) \; USER=(\S+) \; COMMAND=(.+); \
 classification.text=SUDO Command Executed; \
 id=2700; \
 revision=2; \
 analyzer(0).name=sudo; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=user; \
 assessment.impact.severity=low; \
 assessment.impact.description=User $1 successfully executed the command '$5' as $4.; \
 source(0).user.category=os-device; \
 source(0).user.user_id(0).type=original-user; \
 source(0).user.user_id(0).name=$1;  \
 target(0).user.category = os-device; \
 target(0).user.user_id(0).type=current-user; \
 target(0).user.user_id(0).name=$4; \
 additional_data(0).type=string; \
 additional_data(0).meaning=Source device; \
 additional_data(0).data=$2; \
 additional_data(1).type=string; \
 additional_data(1).meaning=Working directory; \
 additional_data(1).data=$3; \
 additional_data(2).type=string; \
 additional_data(2).meaning=Command executed; \
 additional_data(2).data=$5; \
 last

#LOG:Jan 15 09:53:11 12.34.56.78 sudo:   ekwong : user NOT in sudoers ; TTY=pts/2 ; PWD=/ ; USER=root ; COMMAND=/bin/ls
regex=(\S+) : user NOT in sudoers \; TTY=(\S+) \; PWD=(.+) \; USER=(\S+) \; COMMAND=(.+); \
 classification.text=SUDO from Unauthorized User; \
 id=2701; \
 revision=2; \
 analyzer(0).name=sudo; \
 assessment.impact.completion=failed; \
 assessment.impact.type=user; \
 assessment.impact.severity=medium; \
 assessment.impact.description=Unauthorized user $1 tried to execute the command '$5' as $4.;\
 source(0).user.category=os-device; \
 source(0).user.user_id(0).type=original-user; \
 source(0).user.user_id(0).name=$1;  \
 target(0).user.category = os-device; \
 target(0).user.user_id(0).type=target-user; \
 target(0).user.user_id(0).name=$4; \
 additional_data(0).type=string; \
 additional_data(0).meaning=Source device; \
 additional_data(0).data=$2; \
 additional_data(1).type=string; \
 additional_data(1).meaning=Working directory; \
 additional_data(1).data=$3; \
 additional_data(2).type=string; \
 additional_data(2).meaning=Command executed; \
 additional_data(2).data=$5; \
 last

APT Browse - Built by Thomas Orozco.