Reports should say what the user attempted

[jidanni]

This lacks one critical detail,

From: Dan Jacobson <jidanni@jidanni.org>
Subject: *** SECURITY information for jidanni5.jidanni.org ***
To: root@jidanni.org
Date: Mon, 20 May 2024 18:19:32 +0800

jidanni5.jidanni.org : May 20 18:19:32 : jidanni : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/jidanni ; USER=root ; COMMAND=/usr/bin/w

i.e., what did the user do?

It should say that "user attempted run the command "w" using sudo, and entered a password, but then was discovered not to be on the sudoers list.

I mean one day one of these reports will end up in a court of law, so what happened needs to be real clear! Even if it was just little old me testing sudo.

Might as well also fold it to fit on one screen.

And maybe remove the blanks before the semicolons, as in English.

[millert]

Currently the email messages just contain the same info that was logged via syslog. In your example the user tried to run /usr/bin/w as root. If you know how to read the sudo syslog entries, you know how to read the email it sends too.

[jidanni]

Which means both syslog and the email equally do not describe the incident adequately.