Who are incidents really reported to, and how can a sudo user access the reports?

Solution 1:

The Title of the image might give us a clue:

He sees you when you're sleeping, he knows when you're awake, he's copied on /var/spool/mail/root, so be good for goodness' sake.

What does /var/spool/mail/root contain? Uhh, for me nothing as a normal user:

cat: /var/spool/mail/root: No such file or directory

And the same with sudo. For me, there is no /var/spool/mail/root


It turns out, Ubuntu is different - by default root's mail goes to /dev/null, or the black hole in your computer.

To find our logs, we need to look in

/var/log/auth.log

And lo and behold, a sudo cat gives us this line:

Jun 25 22:45:07 Hairy14 sudo:  nonsudo : user NOT in sudoers ; TTY=pts/21 ; PWD=/home/tim ; USER=root ; COMMAND=/usr/bin/hello

Note that sometimes (e.g. if your account has no password, is disabled) it will simply not let you run the command - but it will still be reported in the same way:

Jun 25 22:44:17 Hairy14 sudo:  nonsudo : user NOT in sudoers ; TTY=pts/21 ; PWD=/home/tim ; USER=root ; COMMAND=/usr/bin/hello

Note that there is a lot of other text along with the "naughty" reports. You may need to grep.

Solution 2:

The journalctl method

One method involves looking through the journalctl output. journalctl /usr/bin/sudo will list all messages related to that specific executable path, and the reported incident will be highlighted in a nice, noticeable red color like so:

journalctl -f /usr/bin/sudo will show only the most recent journal entries, and continuously print new entries as they are appended to the journal. It's only helpful if the reported incident has happened just recently.

GNOME Logs

Another way to find such incidents is to use the default Logs application, which is installed by default on recent Ubuntu releases. A short screencast showcasing how it can be done through GNOME Logs: https://webm.red/view/yc0w.webm

  1. open the application;
  2. select "All" from the list of categories on the left-side;
  3. invoke the search bar and
  4. just type in "sudo".

It lacks the highlighting of the journalctl, though.