Who are incidents really reported to, and how can a sudo user access the reports?

sudo

Solution 1:

The Title of the image might give us a clue:

He sees you when you're sleeping, he knows when you're awake, he's copied on /var/spool/mail/root, so be good for goodness' sake.

What does /var/spool/mail/root contain? Uhh, for me nothing as a normal user:

cat: /var/spool/mail/root: No such file or directory

And the same with sudo. For me, there is no /var/spool/mail/root

It turns out, Ubuntu is different - by default root's mail goes to /dev/null, or the black hole in your computer.

To find our logs, we need to look in

/var/log/auth.log

And lo and behold, a sudo cat gives us this line:

Jun 25 22:45:07 Hairy14 sudo:  nonsudo : user NOT in sudoers ; TTY=pts/21 ; PWD=/home/tim ; USER=root ; COMMAND=/usr/bin/hello

Note that sometimes (e.g. if your account has no password, is disabled) it will simply not let you run the command - but it will still be reported in the same way:

Jun 25 22:44:17 Hairy14 sudo:  nonsudo : user NOT in sudoers ; TTY=pts/21 ; PWD=/home/tim ; USER=root ; COMMAND=/usr/bin/hello

Note that there is a lot of other text along with the "naughty" reports. You may need to grep.

Solution 2:

The journalctl method

One method involves looking through the journalctl output. journalctl /usr/bin/sudo will list all messages related to that specific executable path, and the reported incident will be highlighted in a nice, noticeable red color like so:

journalctl -f /usr/bin/sudo will show only the most recent journal entries, and continuously print new entries as they are appended to the journal. It's only helpful if the reported incident has happened just recently.

GNOME Logs

Another way to find such incidents is to use the default Logs application, which is installed by default on recent Ubuntu releases. A short screencast showcasing how it can be done through GNOME Logs: https://webm.red/view/yc0w.webm

  1. open the application;
  2. select "All" from the list of categories on the left-side;
  3. invoke the search bar and
  4. just type in "sudo".

It lacks the highlighting of the journalctl, though.

Related

Ubuntu installation partitioning: Logical or primary?
Copy to USB memory stick really slow?
What is the .Xauthority file?
Typescript Date Type?
TypeScript function overloading
Can I set variables to undefined or pass undefined as an argument?
How to get the mouse position without events (without moving the mouse)?
Understanding the map function
How to make certain text not selectable with CSS [duplicate]
How to add a breakpoint to objc_exception_throw?
Ternary operation in CoffeeScript
Detect home button press in android