Username is not in the sudoers file. This incident will be reported - WHERE/HOW?

Question

When a user not in sudoers tries to elevate privileges to root (in Ubuntu 18.04 for example) the OS displays this alert: "Username is not in the sudoers file. This incident will be reported".

Now, where can the admin see this report? How can admins detect an invalid sudo attempt?

I'm specifically interested in CentOS 7.

I don't think so @StephenKitt, I'm asking for a CentOS 7 OS. Meanwhile Ubuntu save this notification into "/var/log/auth.log", I can't find where CentOS save this event. — Roberto, Jul 31 '18 at 14:16
Sorry @IgnacioVazquez-Abrams,can you tell me where in CentOS 7 this information is stored? Thank you. — Roberto, Jul 31 '18 at 14:17
@Roberto you might have missed this important part: “Depending on how `sudo` is configured on your system”. The linked question isn’t Ubuntu-specific, although I note you did appear to ask about Ubuntu in your question. — Stephen Kitt, Jul 31 '18 at 14:18

score 4 · Accepted Answer · answered Jul 31 '18 at 14:28

On CentOS 7 (since that’s apparently what you’re really interested in), such incidents are reported in the journal; run journalctl -xe as root and you’ll see lines such as

guest : user NOT in sudoers

when a user runs sudo without being allowed to, or

guest : 3 incorrect password attempts

when a user gets their password wrong too many times (with other information as usual in log messages).

Username is not in the sudoers file. This incident will be reported - WHERE/HOW?

1 Answers1