What does the error “X is not in the sudoers file. This incident will be reported.” philosophically/logically mean?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
29
down vote

favorite
5












Along side the question "Username is not in the sudoers file. This incident will be reported" that explained the programical aspects of the error and suggested some workarounds, I want to know: what does this error mean?



X is not in the sudoers file. This incident will be reported.


The former part of the error explains, clearly, the error. But the second part says that "This error will be reported"?! But why? Why the error will be reported and where? To whom? I'm both user and administrator and didn't receive any report :)!







share|improve this question

















  • 11




    Philosophically?!? Or technically?
    – Jeff Schaller
    Jun 21 at 12:30






  • 62




    obligatory xkcd
    – steeldriver
    Jun 21 at 12:55







  • 9




    A (good) system silently logs lots of stuff. Lots and lots of stuff. Especially errors. Especially if it consider them to be ill-intentioned. I think that by asking about "philosophically", OP is asking why this specific concrete error warns you in such an intimidating way about the reporting, while most other failures are reported silently. It might just be what the original coder wrote at the moment, but after many version it has never got changed and there could be a deeper meaning. Or maybe not. If this is the focus, I think this is a great question I've wondered quite a few times.
    – xDaizu
    Jun 21 at 15:46







  • 4




    This presumably dates back to when you had a whole building using 1 computer and an admin/operator looked after the computer as a full-time job.
    – immibis
    Jun 22 at 1:28






  • 1




    Years ago when I was in university and before sudo was a thing, I was trying to do something as root on my personal Linux box. So, I ran su. When it rejected my password, I tried again several times thinking I had mistyped my password. Eventually I realized that that terminal was logged into the school's email server. Not long after that, the email server sysadmin asked me why I had tried to get root on his system. So there clearly was some sort of reporting even though it was in the pre-sudo days.
    – Scott Severance
    Jun 22 at 17:16














up vote
29
down vote

favorite
5












Along side the question "Username is not in the sudoers file. This incident will be reported" that explained the programical aspects of the error and suggested some workarounds, I want to know: what does this error mean?



X is not in the sudoers file. This incident will be reported.


The former part of the error explains, clearly, the error. But the second part says that "This error will be reported"?! But why? Why the error will be reported and where? To whom? I'm both user and administrator and didn't receive any report :)!







share|improve this question

















  • 11




    Philosophically?!? Or technically?
    – Jeff Schaller
    Jun 21 at 12:30






  • 62




    obligatory xkcd
    – steeldriver
    Jun 21 at 12:55







  • 9




    A (good) system silently logs lots of stuff. Lots and lots of stuff. Especially errors. Especially if it consider them to be ill-intentioned. I think that by asking about "philosophically", OP is asking why this specific concrete error warns you in such an intimidating way about the reporting, while most other failures are reported silently. It might just be what the original coder wrote at the moment, but after many version it has never got changed and there could be a deeper meaning. Or maybe not. If this is the focus, I think this is a great question I've wondered quite a few times.
    – xDaizu
    Jun 21 at 15:46







  • 4




    This presumably dates back to when you had a whole building using 1 computer and an admin/operator looked after the computer as a full-time job.
    – immibis
    Jun 22 at 1:28






  • 1




    Years ago when I was in university and before sudo was a thing, I was trying to do something as root on my personal Linux box. So, I ran su. When it rejected my password, I tried again several times thinking I had mistyped my password. Eventually I realized that that terminal was logged into the school's email server. Not long after that, the email server sysadmin asked me why I had tried to get root on his system. So there clearly was some sort of reporting even though it was in the pre-sudo days.
    – Scott Severance
    Jun 22 at 17:16












up vote
29
down vote

favorite
5









up vote
29
down vote

favorite
5






5





Along side the question "Username is not in the sudoers file. This incident will be reported" that explained the programical aspects of the error and suggested some workarounds, I want to know: what does this error mean?



X is not in the sudoers file. This incident will be reported.


The former part of the error explains, clearly, the error. But the second part says that "This error will be reported"?! But why? Why the error will be reported and where? To whom? I'm both user and administrator and didn't receive any report :)!







share|improve this question













Along side the question "Username is not in the sudoers file. This incident will be reported" that explained the programical aspects of the error and suggested some workarounds, I want to know: what does this error mean?



X is not in the sudoers file. This incident will be reported.


The former part of the error explains, clearly, the error. But the second part says that "This error will be reported"?! But why? Why the error will be reported and where? To whom? I'm both user and administrator and didn't receive any report :)!









share|improve this question












share|improve this question




share|improve this question








edited Jun 22 at 8:58
























asked Jun 21 at 12:22









Kasramvd

4641514




4641514







  • 11




    Philosophically?!? Or technically?
    – Jeff Schaller
    Jun 21 at 12:30






  • 62




    obligatory xkcd
    – steeldriver
    Jun 21 at 12:55







  • 9




    A (good) system silently logs lots of stuff. Lots and lots of stuff. Especially errors. Especially if it consider them to be ill-intentioned. I think that by asking about "philosophically", OP is asking why this specific concrete error warns you in such an intimidating way about the reporting, while most other failures are reported silently. It might just be what the original coder wrote at the moment, but after many version it has never got changed and there could be a deeper meaning. Or maybe not. If this is the focus, I think this is a great question I've wondered quite a few times.
    – xDaizu
    Jun 21 at 15:46







  • 4




    This presumably dates back to when you had a whole building using 1 computer and an admin/operator looked after the computer as a full-time job.
    – immibis
    Jun 22 at 1:28






  • 1




    Years ago when I was in university and before sudo was a thing, I was trying to do something as root on my personal Linux box. So, I ran su. When it rejected my password, I tried again several times thinking I had mistyped my password. Eventually I realized that that terminal was logged into the school's email server. Not long after that, the email server sysadmin asked me why I had tried to get root on his system. So there clearly was some sort of reporting even though it was in the pre-sudo days.
    – Scott Severance
    Jun 22 at 17:16












  • 11




    Philosophically?!? Or technically?
    – Jeff Schaller
    Jun 21 at 12:30






  • 62




    obligatory xkcd
    – steeldriver
    Jun 21 at 12:55







  • 9




    A (good) system silently logs lots of stuff. Lots and lots of stuff. Especially errors. Especially if it consider them to be ill-intentioned. I think that by asking about "philosophically", OP is asking why this specific concrete error warns you in such an intimidating way about the reporting, while most other failures are reported silently. It might just be what the original coder wrote at the moment, but after many version it has never got changed and there could be a deeper meaning. Or maybe not. If this is the focus, I think this is a great question I've wondered quite a few times.
    – xDaizu
    Jun 21 at 15:46







  • 4




    This presumably dates back to when you had a whole building using 1 computer and an admin/operator looked after the computer as a full-time job.
    – immibis
    Jun 22 at 1:28






  • 1




    Years ago when I was in university and before sudo was a thing, I was trying to do something as root on my personal Linux box. So, I ran su. When it rejected my password, I tried again several times thinking I had mistyped my password. Eventually I realized that that terminal was logged into the school's email server. Not long after that, the email server sysadmin asked me why I had tried to get root on his system. So there clearly was some sort of reporting even though it was in the pre-sudo days.
    – Scott Severance
    Jun 22 at 17:16







11




11




Philosophically?!? Or technically?
– Jeff Schaller
Jun 21 at 12:30




Philosophically?!? Or technically?
– Jeff Schaller
Jun 21 at 12:30




62




62




obligatory xkcd
– steeldriver
Jun 21 at 12:55





obligatory xkcd
– steeldriver
Jun 21 at 12:55





9




9




A (good) system silently logs lots of stuff. Lots and lots of stuff. Especially errors. Especially if it consider them to be ill-intentioned. I think that by asking about "philosophically", OP is asking why this specific concrete error warns you in such an intimidating way about the reporting, while most other failures are reported silently. It might just be what the original coder wrote at the moment, but after many version it has never got changed and there could be a deeper meaning. Or maybe not. If this is the focus, I think this is a great question I've wondered quite a few times.
– xDaizu
Jun 21 at 15:46





A (good) system silently logs lots of stuff. Lots and lots of stuff. Especially errors. Especially if it consider them to be ill-intentioned. I think that by asking about "philosophically", OP is asking why this specific concrete error warns you in such an intimidating way about the reporting, while most other failures are reported silently. It might just be what the original coder wrote at the moment, but after many version it has never got changed and there could be a deeper meaning. Or maybe not. If this is the focus, I think this is a great question I've wondered quite a few times.
– xDaizu
Jun 21 at 15:46





4




4




This presumably dates back to when you had a whole building using 1 computer and an admin/operator looked after the computer as a full-time job.
– immibis
Jun 22 at 1:28




This presumably dates back to when you had a whole building using 1 computer and an admin/operator looked after the computer as a full-time job.
– immibis
Jun 22 at 1:28




1




1




Years ago when I was in university and before sudo was a thing, I was trying to do something as root on my personal Linux box. So, I ran su. When it rejected my password, I tried again several times thinking I had mistyped my password. Eventually I realized that that terminal was logged into the school's email server. Not long after that, the email server sysadmin asked me why I had tried to get root on his system. So there clearly was some sort of reporting even though it was in the pre-sudo days.
– Scott Severance
Jun 22 at 17:16




Years ago when I was in university and before sudo was a thing, I was trying to do something as root on my personal Linux box. So, I ran su. When it rejected my password, I tried again several times thinking I had mistyped my password. Eventually I realized that that terminal was logged into the school's email server. Not long after that, the email server sysadmin asked me why I had tried to get root on his system. So there clearly was some sort of reporting even though it was in the pre-sudo days.
– Scott Severance
Jun 22 at 17:16










4 Answers
4






active

oldest

votes

















up vote
39
down vote



accepted










The administrator(s) of a system are likely to want to know when a non-privileged user tries but fails to execute commands using sudo. If this happens, it could be a sign of



  1. a curious legitimate user just trying things out, or

  2. a hacker trying to do "bad things".

Since sudo by itself can not distinguish between these, failed attempts to use sudo are brought to the attention of the admins.



Depending on how sudo is configured on your system, any attempt (successful or not) to use sudo will be logged. Successful attempts are logged for audit purposes (to be able to keep track of who did what when), and failed attempts for security.



On a fairly vanilla Ubuntu setup that I have, this is logged in /var/log/auth.log.



If a user gives the wrong password three times, or if they are not in the sudoers file, an email is sent to root (depending on the configuration of sudo, see below). This is what's meant by "this incident will be reported".



The email will have a prominent subject:



Subject: *** SECURITY information for thehostname ***


The body of the message contains the relevant lines from the logfile, for example



thehostname : Jun 22 07:07:44 : nobody : user NOT in sudoers ; TTY=console ; PWD=/some/path ; USER=root ; COMMAND=/bin/ls


(Here, the user nobody tried to run ls through sudo as root, but failed since they were not in the sudoers file).



No email is sent if (local) mail has not been set up on the system.



All of these things are configurable as well, and that local variations in the default configuration may differ between Unix variants.



Have a look at the mail_no_user setting (and related mail_* settings) in the sudoers manual (my emphasis below):




mail_no_user



If set, mail will be sent to the mailto user if the invoking user is not in the sudoers file. This flag is on by default.







share|improve this answer



















  • 3




    Lovely and all, but doesn't answer the question. In IT, the word "reported" has different meaning than "logged".
    – kubanczyk
    Jun 22 at 6:21






  • 6




    @kubanczyk You will notice that when sudo says an incident is reported, it is reported. A special email is sent to the root account. This is different from logging. If you have further info on the special meaning of "reported" in IT, I'd be happy to hear it.
    – Kusalananda
    Jun 22 at 6:30











  • The question is about "not in sudoers file" situation not about "user gives the wrong password".
    – kubanczyk
    Jun 22 at 6:54










  • @kubanczyk Fixed it. I'm still not sure about the difference in meaning of the word "reported" in IT and elsewhere.
    – Kusalananda
    Jun 22 at 7:13











  • @kubanczyk Sorry, I misread your first comment several times. I thought you were pointing out a difference in meaning of "reported" in IT when you in fact said that "logged" and "reported" are not the same thing. I agree. I hope this is clear from the answer since I give examples of both logging and reporting (emailing).
    – Kusalananda
    Jun 22 at 7:29

















up vote
15
down vote













In Debian and its derivatives, the sudo incident reports are logged to /var/log/auth.log which contains system authorization information, including user logins and authentication mechanisms that were used:



$ sudo su
[sudo] password for regularjohn:
regularjohn is not in the sudoers file. This incident will be reported.

[as root]

$ tail -n 1 /var/log/auth.log
Jun 21 16:30:26 marvin sudo: regularjohn : user NOT in sudoers ; TTY=pts/19 ; PWD=/home/regularjohn ; USER=root ; COMMAND=/bin/su


This log file is typically only accessible to users in the adm group, i.e. users with access to system monitoring tasks:



$ ls -la /var/log/auth.log
-rw-r----- 1 syslog adm 76189 Jun 21 16:30 /var/log/auth.log


From the Debian Wiki:




Group adm is used for system monitoring tasks. Members of this group can read many log files in /var/log, and can use xconsole. Historically, /var/log was /usr/adm (and later /var/adm), thus the name of the group.




Users in the adm group are usually administrators, and this group permission is intended to allow them to read log files without having to su.



By default sudo uses the Syslog auth facility for logging. sudo's logging behavior can be modified using the logfile or syslog options in /etc/sudoers or /etc/sudoers.d:



  • The logfile option sets the path to the sudo log file.

  • The syslog option sets the Syslog facility when syslog(3) is being used for logging.

The Syslog auth facility is redirected to /var/log/auth.log in etc/syslog.conf by the presence of the following configuration stanza:



auth,authpriv.* /var/log/auth.log





share|improve this answer






























    up vote
    7
    down vote













    Technically, it doesn't mean anything much. Many (if not all) other software logs logins, failed or otherwise. For example sshd and su:



    Jun 21 17:52:22 somehost sshd[25807]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 user=root
    Jun 21 17:52:22 somehost sshd[25807]: Failed password for root from ::1 port 37268 ssh2
    Jun 21 17:52:23 somehost sshd[25807]: Connection closed by ::1 port 37268 [preauth]
    Jun 21 17:52:28 somehost su[25809]: pam_unix(su:auth): authentication failure; logname= uid=1000 euid=0 tty=/dev/pts/15 ruser=someuser rhost= user=root
    Jun 21 17:52:28 somehost su[25809]: pam_authenticate: Authentication failure
    Jun 21 17:52:28 somehost su[25809]: FAILED su for root by someuser


    Also, many systems have some sort of automation for detecting excessive authentication errors to be able to deal with possible brute-force attempts, or just use the information to reconstruct events after problems appear.



    sudo doesn't do anything especially exceptional here. All the message means is that the author of sudo appears to have taken a somewhat aggressive philosophy in communicating with users that happen to run commands they cannot use.






    share|improve this answer




























      up vote
      6
      down vote













      It simply means that someone tried to use the sudo command (to access admin privileges), who doesn't have authorization to use it (because they aren't listed in the sudoers file). This could be a hacking attempt or some other sort of security risk, so the message is saying that the attempted use of sudo will be reported to the system administrator, so they can investigate.






      share|improve this answer

















      • 1




        Well in my local machine I'm the only user and administrator and I can tell you that I didn't receive any report!
        – Kasramvd
        Jun 21 at 12:50







      • 4




        @Kasramvd you probably did, in some file somewhere. I'm not exactly sure where sudo sends the report. In your situation, with only one user, it probably isn't very important.
        – Time4Tea
        Jun 21 at 12:54






      • 2




        @Kasramvd have you checked for an email to the root user? Also, you're the administrator but you don't have sudo for your account? How do you handle privilege escalation?
        – Doug O'Neal
        Jun 21 at 13:22











      • @Kasramvd It was not reported to you....
        – Thorbjørn Ravn Andersen
        Jun 21 at 17:11






      • 1




        @Kasramvd You THINK you are the administrator. The OS is clearly telling you that you don't have permission to act as an administrator - you're the hardware's owner at best but that does not necessarily make you an admin
        – slebetman
        Jun 21 at 18:04










      Your Answer







      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "106"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      convertImagesToLinks: false,
      noModals: false,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );








       

      draft saved


      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f451085%2fwhat-does-the-error-x-is-not-in-the-sudoers-file-this-incident-will-be-reporte%23new-answer', 'question_page');

      );

      Post as a guest






























      4 Answers
      4






      active

      oldest

      votes








      4 Answers
      4






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes








      up vote
      39
      down vote



      accepted










      The administrator(s) of a system are likely to want to know when a non-privileged user tries but fails to execute commands using sudo. If this happens, it could be a sign of



      1. a curious legitimate user just trying things out, or

      2. a hacker trying to do "bad things".

      Since sudo by itself can not distinguish between these, failed attempts to use sudo are brought to the attention of the admins.



      Depending on how sudo is configured on your system, any attempt (successful or not) to use sudo will be logged. Successful attempts are logged for audit purposes (to be able to keep track of who did what when), and failed attempts for security.



      On a fairly vanilla Ubuntu setup that I have, this is logged in /var/log/auth.log.



      If a user gives the wrong password three times, or if they are not in the sudoers file, an email is sent to root (depending on the configuration of sudo, see below). This is what's meant by "this incident will be reported".



      The email will have a prominent subject:



      Subject: *** SECURITY information for thehostname ***


      The body of the message contains the relevant lines from the logfile, for example



      thehostname : Jun 22 07:07:44 : nobody : user NOT in sudoers ; TTY=console ; PWD=/some/path ; USER=root ; COMMAND=/bin/ls


      (Here, the user nobody tried to run ls through sudo as root, but failed since they were not in the sudoers file).



      No email is sent if (local) mail has not been set up on the system.



      All of these things are configurable as well, and that local variations in the default configuration may differ between Unix variants.



      Have a look at the mail_no_user setting (and related mail_* settings) in the sudoers manual (my emphasis below):




      mail_no_user



      If set, mail will be sent to the mailto user if the invoking user is not in the sudoers file. This flag is on by default.







      share|improve this answer



















      • 3




        Lovely and all, but doesn't answer the question. In IT, the word "reported" has different meaning than "logged".
        – kubanczyk
        Jun 22 at 6:21






      • 6




        @kubanczyk You will notice that when sudo says an incident is reported, it is reported. A special email is sent to the root account. This is different from logging. If you have further info on the special meaning of "reported" in IT, I'd be happy to hear it.
        – Kusalananda
        Jun 22 at 6:30











      • The question is about "not in sudoers file" situation not about "user gives the wrong password".
        – kubanczyk
        Jun 22 at 6:54










      • @kubanczyk Fixed it. I'm still not sure about the difference in meaning of the word "reported" in IT and elsewhere.
        – Kusalananda
        Jun 22 at 7:13











      • @kubanczyk Sorry, I misread your first comment several times. I thought you were pointing out a difference in meaning of "reported" in IT when you in fact said that "logged" and "reported" are not the same thing. I agree. I hope this is clear from the answer since I give examples of both logging and reporting (emailing).
        – Kusalananda
        Jun 22 at 7:29














      up vote
      39
      down vote



      accepted










      The administrator(s) of a system are likely to want to know when a non-privileged user tries but fails to execute commands using sudo. If this happens, it could be a sign of



      1. a curious legitimate user just trying things out, or

      2. a hacker trying to do "bad things".

      Since sudo by itself can not distinguish between these, failed attempts to use sudo are brought to the attention of the admins.



      Depending on how sudo is configured on your system, any attempt (successful or not) to use sudo will be logged. Successful attempts are logged for audit purposes (to be able to keep track of who did what when), and failed attempts for security.



      On a fairly vanilla Ubuntu setup that I have, this is logged in /var/log/auth.log.



      If a user gives the wrong password three times, or if they are not in the sudoers file, an email is sent to root (depending on the configuration of sudo, see below). This is what's meant by "this incident will be reported".



      The email will have a prominent subject:



      Subject: *** SECURITY information for thehostname ***


      The body of the message contains the relevant lines from the logfile, for example



      thehostname : Jun 22 07:07:44 : nobody : user NOT in sudoers ; TTY=console ; PWD=/some/path ; USER=root ; COMMAND=/bin/ls


      (Here, the user nobody tried to run ls through sudo as root, but failed since they were not in the sudoers file).



      No email is sent if (local) mail has not been set up on the system.



      All of these things are configurable as well, and that local variations in the default configuration may differ between Unix variants.



      Have a look at the mail_no_user setting (and related mail_* settings) in the sudoers manual (my emphasis below):




      mail_no_user



      If set, mail will be sent to the mailto user if the invoking user is not in the sudoers file. This flag is on by default.







      share|improve this answer



















      • 3




        Lovely and all, but doesn't answer the question. In IT, the word "reported" has different meaning than "logged".
        – kubanczyk
        Jun 22 at 6:21






      • 6




        @kubanczyk You will notice that when sudo says an incident is reported, it is reported. A special email is sent to the root account. This is different from logging. If you have further info on the special meaning of "reported" in IT, I'd be happy to hear it.
        – Kusalananda
        Jun 22 at 6:30











      • The question is about "not in sudoers file" situation not about "user gives the wrong password".
        – kubanczyk
        Jun 22 at 6:54










      • @kubanczyk Fixed it. I'm still not sure about the difference in meaning of the word "reported" in IT and elsewhere.
        – Kusalananda
        Jun 22 at 7:13











      • @kubanczyk Sorry, I misread your first comment several times. I thought you were pointing out a difference in meaning of "reported" in IT when you in fact said that "logged" and "reported" are not the same thing. I agree. I hope this is clear from the answer since I give examples of both logging and reporting (emailing).
        – Kusalananda
        Jun 22 at 7:29












      up vote
      39
      down vote



      accepted







      up vote
      39
      down vote



      accepted






      The administrator(s) of a system are likely to want to know when a non-privileged user tries but fails to execute commands using sudo. If this happens, it could be a sign of



      1. a curious legitimate user just trying things out, or

      2. a hacker trying to do "bad things".

      Since sudo by itself can not distinguish between these, failed attempts to use sudo are brought to the attention of the admins.



      Depending on how sudo is configured on your system, any attempt (successful or not) to use sudo will be logged. Successful attempts are logged for audit purposes (to be able to keep track of who did what when), and failed attempts for security.



      On a fairly vanilla Ubuntu setup that I have, this is logged in /var/log/auth.log.



      If a user gives the wrong password three times, or if they are not in the sudoers file, an email is sent to root (depending on the configuration of sudo, see below). This is what's meant by "this incident will be reported".



      The email will have a prominent subject:



      Subject: *** SECURITY information for thehostname ***


      The body of the message contains the relevant lines from the logfile, for example



      thehostname : Jun 22 07:07:44 : nobody : user NOT in sudoers ; TTY=console ; PWD=/some/path ; USER=root ; COMMAND=/bin/ls


      (Here, the user nobody tried to run ls through sudo as root, but failed since they were not in the sudoers file).



      No email is sent if (local) mail has not been set up on the system.



      All of these things are configurable as well, and that local variations in the default configuration may differ between Unix variants.



      Have a look at the mail_no_user setting (and related mail_* settings) in the sudoers manual (my emphasis below):




      mail_no_user



      If set, mail will be sent to the mailto user if the invoking user is not in the sudoers file. This flag is on by default.







      share|improve this answer















      The administrator(s) of a system are likely to want to know when a non-privileged user tries but fails to execute commands using sudo. If this happens, it could be a sign of



      1. a curious legitimate user just trying things out, or

      2. a hacker trying to do "bad things".

      Since sudo by itself can not distinguish between these, failed attempts to use sudo are brought to the attention of the admins.



      Depending on how sudo is configured on your system, any attempt (successful or not) to use sudo will be logged. Successful attempts are logged for audit purposes (to be able to keep track of who did what when), and failed attempts for security.



      On a fairly vanilla Ubuntu setup that I have, this is logged in /var/log/auth.log.



      If a user gives the wrong password three times, or if they are not in the sudoers file, an email is sent to root (depending on the configuration of sudo, see below). This is what's meant by "this incident will be reported".



      The email will have a prominent subject:



      Subject: *** SECURITY information for thehostname ***


      The body of the message contains the relevant lines from the logfile, for example



      thehostname : Jun 22 07:07:44 : nobody : user NOT in sudoers ; TTY=console ; PWD=/some/path ; USER=root ; COMMAND=/bin/ls


      (Here, the user nobody tried to run ls through sudo as root, but failed since they were not in the sudoers file).



      No email is sent if (local) mail has not been set up on the system.



      All of these things are configurable as well, and that local variations in the default configuration may differ between Unix variants.



      Have a look at the mail_no_user setting (and related mail_* settings) in the sudoers manual (my emphasis below):




      mail_no_user



      If set, mail will be sent to the mailto user if the invoking user is not in the sudoers file. This flag is on by default.








      share|improve this answer















      share|improve this answer



      share|improve this answer








      edited Jun 22 at 12:35


























      answered Jun 21 at 13:51









      Kusalananda

      101k13199312




      101k13199312







      • 3




        Lovely and all, but doesn't answer the question. In IT, the word "reported" has different meaning than "logged".
        – kubanczyk
        Jun 22 at 6:21






      • 6




        @kubanczyk You will notice that when sudo says an incident is reported, it is reported. A special email is sent to the root account. This is different from logging. If you have further info on the special meaning of "reported" in IT, I'd be happy to hear it.
        – Kusalananda
        Jun 22 at 6:30











      • The question is about "not in sudoers file" situation not about "user gives the wrong password".
        – kubanczyk
        Jun 22 at 6:54










      • @kubanczyk Fixed it. I'm still not sure about the difference in meaning of the word "reported" in IT and elsewhere.
        – Kusalananda
        Jun 22 at 7:13











      • @kubanczyk Sorry, I misread your first comment several times. I thought you were pointing out a difference in meaning of "reported" in IT when you in fact said that "logged" and "reported" are not the same thing. I agree. I hope this is clear from the answer since I give examples of both logging and reporting (emailing).
        – Kusalananda
        Jun 22 at 7:29












      • 3




        Lovely and all, but doesn't answer the question. In IT, the word "reported" has different meaning than "logged".
        – kubanczyk
        Jun 22 at 6:21






      • 6




        @kubanczyk You will notice that when sudo says an incident is reported, it is reported. A special email is sent to the root account. This is different from logging. If you have further info on the special meaning of "reported" in IT, I'd be happy to hear it.
        – Kusalananda
        Jun 22 at 6:30











      • The question is about "not in sudoers file" situation not about "user gives the wrong password".
        – kubanczyk
        Jun 22 at 6:54










      • @kubanczyk Fixed it. I'm still not sure about the difference in meaning of the word "reported" in IT and elsewhere.
        – Kusalananda
        Jun 22 at 7:13











      • @kubanczyk Sorry, I misread your first comment several times. I thought you were pointing out a difference in meaning of "reported" in IT when you in fact said that "logged" and "reported" are not the same thing. I agree. I hope this is clear from the answer since I give examples of both logging and reporting (emailing).
        – Kusalananda
        Jun 22 at 7:29







      3




      3




      Lovely and all, but doesn't answer the question. In IT, the word "reported" has different meaning than "logged".
      – kubanczyk
      Jun 22 at 6:21




      Lovely and all, but doesn't answer the question. In IT, the word "reported" has different meaning than "logged".
      – kubanczyk
      Jun 22 at 6:21




      6




      6




      @kubanczyk You will notice that when sudo says an incident is reported, it is reported. A special email is sent to the root account. This is different from logging. If you have further info on the special meaning of "reported" in IT, I'd be happy to hear it.
      – Kusalananda
      Jun 22 at 6:30





      @kubanczyk You will notice that when sudo says an incident is reported, it is reported. A special email is sent to the root account. This is different from logging. If you have further info on the special meaning of "reported" in IT, I'd be happy to hear it.
      – Kusalananda
      Jun 22 at 6:30













      The question is about "not in sudoers file" situation not about "user gives the wrong password".
      – kubanczyk
      Jun 22 at 6:54




      The question is about "not in sudoers file" situation not about "user gives the wrong password".
      – kubanczyk
      Jun 22 at 6:54












      @kubanczyk Fixed it. I'm still not sure about the difference in meaning of the word "reported" in IT and elsewhere.
      – Kusalananda
      Jun 22 at 7:13





      @kubanczyk Fixed it. I'm still not sure about the difference in meaning of the word "reported" in IT and elsewhere.
      – Kusalananda
      Jun 22 at 7:13













      @kubanczyk Sorry, I misread your first comment several times. I thought you were pointing out a difference in meaning of "reported" in IT when you in fact said that "logged" and "reported" are not the same thing. I agree. I hope this is clear from the answer since I give examples of both logging and reporting (emailing).
      – Kusalananda
      Jun 22 at 7:29




      @kubanczyk Sorry, I misread your first comment several times. I thought you were pointing out a difference in meaning of "reported" in IT when you in fact said that "logged" and "reported" are not the same thing. I agree. I hope this is clear from the answer since I give examples of both logging and reporting (emailing).
      – Kusalananda
      Jun 22 at 7:29












      up vote
      15
      down vote













      In Debian and its derivatives, the sudo incident reports are logged to /var/log/auth.log which contains system authorization information, including user logins and authentication mechanisms that were used:



      $ sudo su
      [sudo] password for regularjohn:
      regularjohn is not in the sudoers file. This incident will be reported.

      [as root]

      $ tail -n 1 /var/log/auth.log
      Jun 21 16:30:26 marvin sudo: regularjohn : user NOT in sudoers ; TTY=pts/19 ; PWD=/home/regularjohn ; USER=root ; COMMAND=/bin/su


      This log file is typically only accessible to users in the adm group, i.e. users with access to system monitoring tasks:



      $ ls -la /var/log/auth.log
      -rw-r----- 1 syslog adm 76189 Jun 21 16:30 /var/log/auth.log


      From the Debian Wiki:




      Group adm is used for system monitoring tasks. Members of this group can read many log files in /var/log, and can use xconsole. Historically, /var/log was /usr/adm (and later /var/adm), thus the name of the group.




      Users in the adm group are usually administrators, and this group permission is intended to allow them to read log files without having to su.



      By default sudo uses the Syslog auth facility for logging. sudo's logging behavior can be modified using the logfile or syslog options in /etc/sudoers or /etc/sudoers.d:



      • The logfile option sets the path to the sudo log file.

      • The syslog option sets the Syslog facility when syslog(3) is being used for logging.

      The Syslog auth facility is redirected to /var/log/auth.log in etc/syslog.conf by the presence of the following configuration stanza:



      auth,authpriv.* /var/log/auth.log





      share|improve this answer



























        up vote
        15
        down vote













        In Debian and its derivatives, the sudo incident reports are logged to /var/log/auth.log which contains system authorization information, including user logins and authentication mechanisms that were used:



        $ sudo su
        [sudo] password for regularjohn:
        regularjohn is not in the sudoers file. This incident will be reported.

        [as root]

        $ tail -n 1 /var/log/auth.log
        Jun 21 16:30:26 marvin sudo: regularjohn : user NOT in sudoers ; TTY=pts/19 ; PWD=/home/regularjohn ; USER=root ; COMMAND=/bin/su


        This log file is typically only accessible to users in the adm group, i.e. users with access to system monitoring tasks:



        $ ls -la /var/log/auth.log
        -rw-r----- 1 syslog adm 76189 Jun 21 16:30 /var/log/auth.log


        From the Debian Wiki:




        Group adm is used for system monitoring tasks. Members of this group can read many log files in /var/log, and can use xconsole. Historically, /var/log was /usr/adm (and later /var/adm), thus the name of the group.




        Users in the adm group are usually administrators, and this group permission is intended to allow them to read log files without having to su.



        By default sudo uses the Syslog auth facility for logging. sudo's logging behavior can be modified using the logfile or syslog options in /etc/sudoers or /etc/sudoers.d:



        • The logfile option sets the path to the sudo log file.

        • The syslog option sets the Syslog facility when syslog(3) is being used for logging.

        The Syslog auth facility is redirected to /var/log/auth.log in etc/syslog.conf by the presence of the following configuration stanza:



        auth,authpriv.* /var/log/auth.log





        share|improve this answer

























          up vote
          15
          down vote










          up vote
          15
          down vote









          In Debian and its derivatives, the sudo incident reports are logged to /var/log/auth.log which contains system authorization information, including user logins and authentication mechanisms that were used:



          $ sudo su
          [sudo] password for regularjohn:
          regularjohn is not in the sudoers file. This incident will be reported.

          [as root]

          $ tail -n 1 /var/log/auth.log
          Jun 21 16:30:26 marvin sudo: regularjohn : user NOT in sudoers ; TTY=pts/19 ; PWD=/home/regularjohn ; USER=root ; COMMAND=/bin/su


          This log file is typically only accessible to users in the adm group, i.e. users with access to system monitoring tasks:



          $ ls -la /var/log/auth.log
          -rw-r----- 1 syslog adm 76189 Jun 21 16:30 /var/log/auth.log


          From the Debian Wiki:




          Group adm is used for system monitoring tasks. Members of this group can read many log files in /var/log, and can use xconsole. Historically, /var/log was /usr/adm (and later /var/adm), thus the name of the group.




          Users in the adm group are usually administrators, and this group permission is intended to allow them to read log files without having to su.



          By default sudo uses the Syslog auth facility for logging. sudo's logging behavior can be modified using the logfile or syslog options in /etc/sudoers or /etc/sudoers.d:



          • The logfile option sets the path to the sudo log file.

          • The syslog option sets the Syslog facility when syslog(3) is being used for logging.

          The Syslog auth facility is redirected to /var/log/auth.log in etc/syslog.conf by the presence of the following configuration stanza:



          auth,authpriv.* /var/log/auth.log





          share|improve this answer















          In Debian and its derivatives, the sudo incident reports are logged to /var/log/auth.log which contains system authorization information, including user logins and authentication mechanisms that were used:



          $ sudo su
          [sudo] password for regularjohn:
          regularjohn is not in the sudoers file. This incident will be reported.

          [as root]

          $ tail -n 1 /var/log/auth.log
          Jun 21 16:30:26 marvin sudo: regularjohn : user NOT in sudoers ; TTY=pts/19 ; PWD=/home/regularjohn ; USER=root ; COMMAND=/bin/su


          This log file is typically only accessible to users in the adm group, i.e. users with access to system monitoring tasks:



          $ ls -la /var/log/auth.log
          -rw-r----- 1 syslog adm 76189 Jun 21 16:30 /var/log/auth.log


          From the Debian Wiki:




          Group adm is used for system monitoring tasks. Members of this group can read many log files in /var/log, and can use xconsole. Historically, /var/log was /usr/adm (and later /var/adm), thus the name of the group.




          Users in the adm group are usually administrators, and this group permission is intended to allow them to read log files without having to su.



          By default sudo uses the Syslog auth facility for logging. sudo's logging behavior can be modified using the logfile or syslog options in /etc/sudoers or /etc/sudoers.d:



          • The logfile option sets the path to the sudo log file.

          • The syslog option sets the Syslog facility when syslog(3) is being used for logging.

          The Syslog auth facility is redirected to /var/log/auth.log in etc/syslog.conf by the presence of the following configuration stanza:



          auth,authpriv.* /var/log/auth.log






          share|improve this answer















          share|improve this answer



          share|improve this answer








          edited Jun 21 at 14:32


























          answered Jun 21 at 13:36









          Thomas Nyman

          18.8k64767




          18.8k64767




















              up vote
              7
              down vote













              Technically, it doesn't mean anything much. Many (if not all) other software logs logins, failed or otherwise. For example sshd and su:



              Jun 21 17:52:22 somehost sshd[25807]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 user=root
              Jun 21 17:52:22 somehost sshd[25807]: Failed password for root from ::1 port 37268 ssh2
              Jun 21 17:52:23 somehost sshd[25807]: Connection closed by ::1 port 37268 [preauth]
              Jun 21 17:52:28 somehost su[25809]: pam_unix(su:auth): authentication failure; logname= uid=1000 euid=0 tty=/dev/pts/15 ruser=someuser rhost= user=root
              Jun 21 17:52:28 somehost su[25809]: pam_authenticate: Authentication failure
              Jun 21 17:52:28 somehost su[25809]: FAILED su for root by someuser


              Also, many systems have some sort of automation for detecting excessive authentication errors to be able to deal with possible brute-force attempts, or just use the information to reconstruct events after problems appear.



              sudo doesn't do anything especially exceptional here. All the message means is that the author of sudo appears to have taken a somewhat aggressive philosophy in communicating with users that happen to run commands they cannot use.






              share|improve this answer

























                up vote
                7
                down vote













                Technically, it doesn't mean anything much. Many (if not all) other software logs logins, failed or otherwise. For example sshd and su:



                Jun 21 17:52:22 somehost sshd[25807]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 user=root
                Jun 21 17:52:22 somehost sshd[25807]: Failed password for root from ::1 port 37268 ssh2
                Jun 21 17:52:23 somehost sshd[25807]: Connection closed by ::1 port 37268 [preauth]
                Jun 21 17:52:28 somehost su[25809]: pam_unix(su:auth): authentication failure; logname= uid=1000 euid=0 tty=/dev/pts/15 ruser=someuser rhost= user=root
                Jun 21 17:52:28 somehost su[25809]: pam_authenticate: Authentication failure
                Jun 21 17:52:28 somehost su[25809]: FAILED su for root by someuser


                Also, many systems have some sort of automation for detecting excessive authentication errors to be able to deal with possible brute-force attempts, or just use the information to reconstruct events after problems appear.



                sudo doesn't do anything especially exceptional here. All the message means is that the author of sudo appears to have taken a somewhat aggressive philosophy in communicating with users that happen to run commands they cannot use.






                share|improve this answer























                  up vote
                  7
                  down vote










                  up vote
                  7
                  down vote









                  Technically, it doesn't mean anything much. Many (if not all) other software logs logins, failed or otherwise. For example sshd and su:



                  Jun 21 17:52:22 somehost sshd[25807]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 user=root
                  Jun 21 17:52:22 somehost sshd[25807]: Failed password for root from ::1 port 37268 ssh2
                  Jun 21 17:52:23 somehost sshd[25807]: Connection closed by ::1 port 37268 [preauth]
                  Jun 21 17:52:28 somehost su[25809]: pam_unix(su:auth): authentication failure; logname= uid=1000 euid=0 tty=/dev/pts/15 ruser=someuser rhost= user=root
                  Jun 21 17:52:28 somehost su[25809]: pam_authenticate: Authentication failure
                  Jun 21 17:52:28 somehost su[25809]: FAILED su for root by someuser


                  Also, many systems have some sort of automation for detecting excessive authentication errors to be able to deal with possible brute-force attempts, or just use the information to reconstruct events after problems appear.



                  sudo doesn't do anything especially exceptional here. All the message means is that the author of sudo appears to have taken a somewhat aggressive philosophy in communicating with users that happen to run commands they cannot use.






                  share|improve this answer













                  Technically, it doesn't mean anything much. Many (if not all) other software logs logins, failed or otherwise. For example sshd and su:



                  Jun 21 17:52:22 somehost sshd[25807]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 user=root
                  Jun 21 17:52:22 somehost sshd[25807]: Failed password for root from ::1 port 37268 ssh2
                  Jun 21 17:52:23 somehost sshd[25807]: Connection closed by ::1 port 37268 [preauth]
                  Jun 21 17:52:28 somehost su[25809]: pam_unix(su:auth): authentication failure; logname= uid=1000 euid=0 tty=/dev/pts/15 ruser=someuser rhost= user=root
                  Jun 21 17:52:28 somehost su[25809]: pam_authenticate: Authentication failure
                  Jun 21 17:52:28 somehost su[25809]: FAILED su for root by someuser


                  Also, many systems have some sort of automation for detecting excessive authentication errors to be able to deal with possible brute-force attempts, or just use the information to reconstruct events after problems appear.



                  sudo doesn't do anything especially exceptional here. All the message means is that the author of sudo appears to have taken a somewhat aggressive philosophy in communicating with users that happen to run commands they cannot use.







                  share|improve this answer













                  share|improve this answer



                  share|improve this answer











                  answered Jun 21 at 15:07









                  ilkkachu

                  47.4k668130




                  47.4k668130




















                      up vote
                      6
                      down vote













                      It simply means that someone tried to use the sudo command (to access admin privileges), who doesn't have authorization to use it (because they aren't listed in the sudoers file). This could be a hacking attempt or some other sort of security risk, so the message is saying that the attempted use of sudo will be reported to the system administrator, so they can investigate.






                      share|improve this answer

















                      • 1




                        Well in my local machine I'm the only user and administrator and I can tell you that I didn't receive any report!
                        – Kasramvd
                        Jun 21 at 12:50







                      • 4




                        @Kasramvd you probably did, in some file somewhere. I'm not exactly sure where sudo sends the report. In your situation, with only one user, it probably isn't very important.
                        – Time4Tea
                        Jun 21 at 12:54






                      • 2




                        @Kasramvd have you checked for an email to the root user? Also, you're the administrator but you don't have sudo for your account? How do you handle privilege escalation?
                        – Doug O'Neal
                        Jun 21 at 13:22











                      • @Kasramvd It was not reported to you....
                        – Thorbjørn Ravn Andersen
                        Jun 21 at 17:11






                      • 1




                        @Kasramvd You THINK you are the administrator. The OS is clearly telling you that you don't have permission to act as an administrator - you're the hardware's owner at best but that does not necessarily make you an admin
                        – slebetman
                        Jun 21 at 18:04














                      up vote
                      6
                      down vote













                      It simply means that someone tried to use the sudo command (to access admin privileges), who doesn't have authorization to use it (because they aren't listed in the sudoers file). This could be a hacking attempt or some other sort of security risk, so the message is saying that the attempted use of sudo will be reported to the system administrator, so they can investigate.






                      share|improve this answer

















                      • 1




                        Well in my local machine I'm the only user and administrator and I can tell you that I didn't receive any report!
                        – Kasramvd
                        Jun 21 at 12:50







                      • 4




                        @Kasramvd you probably did, in some file somewhere. I'm not exactly sure where sudo sends the report. In your situation, with only one user, it probably isn't very important.
                        – Time4Tea
                        Jun 21 at 12:54






                      • 2




                        @Kasramvd have you checked for an email to the root user? Also, you're the administrator but you don't have sudo for your account? How do you handle privilege escalation?
                        – Doug O'Neal
                        Jun 21 at 13:22











                      • @Kasramvd It was not reported to you....
                        – Thorbjørn Ravn Andersen
                        Jun 21 at 17:11






                      • 1




                        @Kasramvd You THINK you are the administrator. The OS is clearly telling you that you don't have permission to act as an administrator - you're the hardware's owner at best but that does not necessarily make you an admin
                        – slebetman
                        Jun 21 at 18:04












                      up vote
                      6
                      down vote










                      up vote
                      6
                      down vote









                      It simply means that someone tried to use the sudo command (to access admin privileges), who doesn't have authorization to use it (because they aren't listed in the sudoers file). This could be a hacking attempt or some other sort of security risk, so the message is saying that the attempted use of sudo will be reported to the system administrator, so they can investigate.






                      share|improve this answer













                      It simply means that someone tried to use the sudo command (to access admin privileges), who doesn't have authorization to use it (because they aren't listed in the sudoers file). This could be a hacking attempt or some other sort of security risk, so the message is saying that the attempted use of sudo will be reported to the system administrator, so they can investigate.







                      share|improve this answer













                      share|improve this answer



                      share|improve this answer











                      answered Jun 21 at 12:30









                      Time4Tea

                      866119




                      866119







                      • 1




                        Well in my local machine I'm the only user and administrator and I can tell you that I didn't receive any report!
                        – Kasramvd
                        Jun 21 at 12:50







                      • 4




                        @Kasramvd you probably did, in some file somewhere. I'm not exactly sure where sudo sends the report. In your situation, with only one user, it probably isn't very important.
                        – Time4Tea
                        Jun 21 at 12:54






                      • 2




                        @Kasramvd have you checked for an email to the root user? Also, you're the administrator but you don't have sudo for your account? How do you handle privilege escalation?
                        – Doug O'Neal
                        Jun 21 at 13:22











                      • @Kasramvd It was not reported to you....
                        – Thorbjørn Ravn Andersen
                        Jun 21 at 17:11






                      • 1




                        @Kasramvd You THINK you are the administrator. The OS is clearly telling you that you don't have permission to act as an administrator - you're the hardware's owner at best but that does not necessarily make you an admin
                        – slebetman
                        Jun 21 at 18:04












                      • 1




                        Well in my local machine I'm the only user and administrator and I can tell you that I didn't receive any report!
                        – Kasramvd
                        Jun 21 at 12:50







                      • 4




                        @Kasramvd you probably did, in some file somewhere. I'm not exactly sure where sudo sends the report. In your situation, with only one user, it probably isn't very important.
                        – Time4Tea
                        Jun 21 at 12:54






                      • 2




                        @Kasramvd have you checked for an email to the root user? Also, you're the administrator but you don't have sudo for your account? How do you handle privilege escalation?
                        – Doug O'Neal
                        Jun 21 at 13:22











                      • @Kasramvd It was not reported to you....
                        – Thorbjørn Ravn Andersen
                        Jun 21 at 17:11






                      • 1




                        @Kasramvd You THINK you are the administrator. The OS is clearly telling you that you don't have permission to act as an administrator - you're the hardware's owner at best but that does not necessarily make you an admin
                        – slebetman
                        Jun 21 at 18:04







                      1




                      1




                      Well in my local machine I'm the only user and administrator and I can tell you that I didn't receive any report!
                      – Kasramvd
                      Jun 21 at 12:50





                      Well in my local machine I'm the only user and administrator and I can tell you that I didn't receive any report!
                      – Kasramvd
                      Jun 21 at 12:50





                      4




                      4




                      @Kasramvd you probably did, in some file somewhere. I'm not exactly sure where sudo sends the report. In your situation, with only one user, it probably isn't very important.
                      – Time4Tea
                      Jun 21 at 12:54




                      @Kasramvd you probably did, in some file somewhere. I'm not exactly sure where sudo sends the report. In your situation, with only one user, it probably isn't very important.
                      – Time4Tea
                      Jun 21 at 12:54




                      2




                      2




                      @Kasramvd have you checked for an email to the root user? Also, you're the administrator but you don't have sudo for your account? How do you handle privilege escalation?
                      – Doug O'Neal
                      Jun 21 at 13:22





                      @Kasramvd have you checked for an email to the root user? Also, you're the administrator but you don't have sudo for your account? How do you handle privilege escalation?
                      – Doug O'Neal
                      Jun 21 at 13:22













                      @Kasramvd It was not reported to you....
                      – Thorbjørn Ravn Andersen
                      Jun 21 at 17:11




                      @Kasramvd It was not reported to you....
                      – Thorbjørn Ravn Andersen
                      Jun 21 at 17:11




                      1




                      1




                      @Kasramvd You THINK you are the administrator. The OS is clearly telling you that you don't have permission to act as an administrator - you're the hardware's owner at best but that does not necessarily make you an admin
                      – slebetman
                      Jun 21 at 18:04




                      @Kasramvd You THINK you are the administrator. The OS is clearly telling you that you don't have permission to act as an administrator - you're the hardware's owner at best but that does not necessarily make you an admin
                      – slebetman
                      Jun 21 at 18:04












                       

                      draft saved


                      draft discarded


























                       


                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f451085%2fwhat-does-the-error-x-is-not-in-the-sudoers-file-this-incident-will-be-reporte%23new-answer', 'question_page');

                      );

                      Post as a guest













































































                      Popular posts from this blog

                      How to check contact read email or not when send email to Individual?

                      Displaying single band from multi-band raster using QGIS

                      How many registers does an x86_64 CPU actually have?