#!/usr/bin/perl

#Create Array, by filling it with grepping for sudo
#in the auth.log file
#----------------------------------------------------
@DATA = `grep -i sudo /var/log/auth.log | grep -i command`;

#Counter variable for current line number
#----------------------------------------------------
my $cnt = 0;

#administrator@targetubuntu02:~$ grep -i sudo /var/log/auth.log | grep -i command
#Jun 26 12:07:52 targetubuntu02 sudo: instructor : TTY=pts/0 ; PWD=/home/instructor ; USER=root ; COMMAND=/bin/su -


#foreach loop
#Go though the array called @DATA, Line By Line using the $line variable
foreach my $line (@DATA)
{
	#chomp - chop off any end of line characters
	chomp($line);

	print "($cnt)[Line]: $line\n";

	#Parse out real user
	(my $real_user		= $line)        =~ s/.*\ssudo:\s(.*?)\s:\sTTY.*/$1/;

	#Parse out effective user
	(my $effective_user	= $line)        =~ s/.*;\sUSER=(.*?)\s;\sCOMMAND.*/$1/;

	#Parse out executed command
	(my $command		= $line)        =~ s/.*COMMAND=(.*?)/$1/;

	print "Real User: $real_user\n";
	print "Effective User: $effective_user\n";

	#Initial Variable $STATUS to be not contain anything
	my $STATUS = "";

	#If the real_user is not equal to the effective_user, then create an alarm message
	if($real_user ne $effective_user)
	{
		$STATUS = "[Escalation Occurred for command: $command]\n";
	}
	else
	{
		$STATUS = "[No Warning Present]";
	}
	print "Sudo Privilege Escalated: $STATUS\n"; 

	#Increment cnt variable
	$cnt++;
	print "-------------------------------------\n";
}