天天看點
傳回

sudo日志檔案跟蹤

    由于管理的伺服器不多,而且都是我一個人管,但公司發展越來越快,伺服器也越來越多,人手也添加了,但不能一直都用root賬号人手一份,為了安全和管理控制,決定部署sudo。sudo預設安裝在系統裡,配置日志檔案跟蹤的時候遇到問題,無論怎麼操作,就是不能寫入sudo日志。參考了網上的N多文章 ,都不能解決問題,其中的奧秘就在于他們都省略了一步。是以部署東西,最好還是先看官方文檔為先,遇到小部份難題在google為好。

一、實驗環境

  1. # cat /etc/redhat-release  
  2. CentOS release 5.5 (Final)
  3. # rpm -qa | grep sudo
  4. sudo-1.7.2p1-5.el5
  5. [root@CentOS-A log]# rpm -ql  sudo
  6. /usr/share/doc/sudo-1.7.2p1/sample.sudoers
  7. /usr/share/doc/sudo-1.7.2p1/sample.syslog.conf

二、參考資料

注:留意我标明紅色的地方,這些是成功配置所在。

  1. [root@CentOS-A ~]# cat /usr/share/doc/sudo-1.7.2p1/sample.sudoers  
  2. #
  3. # Sample /etc/sudoers file.
  5. # This file MUST be edited with the 'visudo' command as root.
  7. # See the sudoers man page for the details on how to write a sudoers file.
  9. # $Sudo: sample.sudoers,v 1.29 2008/10/03 19:55:57 millert Exp $
  10. ##
  11. # Override built-in defaults
  13. Defaults        syslog=auth
  14. Defaults>root       !set_logname
  15. Defaults:FULLTIMERS !lecture
  16. Defaults:millert    !authenticate
  17. Defaults@SERVERS    log_year, logfile=/var/log/sudo.log
  18. Defaults!PAGERS     noexec
  20. # User alias specification
  22. User_Alias  FULLTIMERS = millert, mikef, dowdy
  23. User_Alias  PARTTIMERS = bostley, jwfox, crawl
  24. User_Alias  WEBMASTERS = will, wendy, wim
  26. # Runas alias specification
  28. Runas_Alias OP = root, operator
  29. Runas_Alias DB = oracle, sybase
  31. # Host alias specification
  33. Host_Alias  SPARC = bigtime, eclipse, moet, anchor:\
  34. SGI = grolsch, dandelion, black:\
  35. ALPHA = widget, thalamus, foobar:\
  36. HPPA = boa, nag, python
  37. Host_Alias  CUNETS = 128.138.0.0/255.255.0.0
  38. Host_Alias  CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
  39. Host_Alias  SERVERS = master, mail, www, ns
  40. Host_Alias  CDROM = orion, perseus, hercules
  42. # Cmnd alias specification
  44. Cmnd_Alias  DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \
  45.            /usr/sbin/rrestore, /usr/bin/mt
  46. Cmnd_Alias  KILL = /usr/bin/kill
  47. Cmnd_Alias  PRINTING = /usr/sbin/lpc, /usr/bin/lprm
  48. Cmnd_Alias  SHUTDOWN = /usr/sbin/shutdown
  49. Cmnd_Alias  HALT = /usr/sbin/halt
  50. Cmnd_Alias  REBOOT = /usr/sbin/reboot
  51. Cmnd_Alias  SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
  52.             /usr/local/bin/tcsh, /usr/bin/rsh, \
  53.             /usr/local/bin/zsh
  54. Cmnd_Alias  SU = /usr/bin/su
  55. Cmnd_Alias  VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \
  56.               /usr/bin/chfn
  57. Cmnd_Alias  PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
  59. # User specification
  61. # root and users in group wheel can run anything on any machine as any user
  62. root        ALL = (ALL) ALL
  63. %wheel      ALL = (ALL) ALL
  64. # full time sysadmins can run anything on any machine without a password
  65. FULLTIMERS  ALL = NOPASSWD: ALL
  66. # part time sysadmins may run anything but need a password
  67. PARTTIMERS  ALLALL = ALL
  68. # jack may run anything on machines in CSNETS
  69. jack        CSNETS = ALL
  70. # lisa may run any command on any host in CUNETS (a class B network)
  71. lisa        CUNETS = ALL
  72. # operator may run maintenance commands and anything in /usr/oper/bin/
  73. operator    ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
  74.        sudoedit /etc/printcap, /usr/oper/bin/
  75. # joe may su only to operator
  76. joe     ALL = /usr/bin/su operator
  77. # pete may change passwords for anyone but root on the hp snakes
  78. pete        HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
  79. # bob may run anything on the sparc and sgi machines as any user
  80. # listed in the Runas_Alias "OP" (ie: root and operator)
  81. bob     SPARC = (OP) ALL : SGI = (OP) ALL
  82. # jim may run anything on machines in the biglab netgroup
  83. jim     +biglab = ALL
  84. # users in the secretaries netgroup need to help manage the printers
  85. # as well as add and remove users
  86. +secretaries    ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
  87. # fred can run commands as oracle or sybase without a password
  88. fred        ALL = (DB) NOPASSWD: ALL
  89. # on the alphas, john may su to anyone but root and flags are not allowed
  90. john        ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
  91. # jen can run anything on all machines except the ones
  92. # in the "SERVERS" Host_Alias
  93. jen     ALL, !SERVERS = ALL
  94. # jill can run any commands in the directory /usr/bin/, except for
  95. # those in the SU and SHELLS aliases.
  96. jill        SERVERS = /usr/bin/, !SU, !SHELLS
  97. # steve can run any command in the directory /usr/local/op_commands/
  98. # as user operator.
  99. steve       CSNETS = (operator) /usr/local/op_commands/
  100. # matt needs to be able to kill things on his workstation when
  101. # they get hung.
  102. matt        valkyrie = KILL
  103. # users in the WEBMASTERS User_Alias (will, wendy, and wim)
  104. # may run any command as user www (which owns the web pages)
  105. # or simply su to www.
  106. WEBMASTERS  www = (www) ALL, (root) /usr/bin/su www
  107. # anyone can mount/unmount a cd-rom on the machines in the CDROM alias
  108. ALL     CDROM = NOPASSWD: /sbin/umount /CDROM,\
  109.        /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
  1. [root@CentOS-A ~]# cat /usr/share/doc/sudo-1.7.2p1/sample.syslog.conf
  2. # This is a sample syslog.conf fragment for use with Sudo.
  4. # Sudo logs to local2 by default, but this is changable via the
  5. # --with-logfac configure option.  To see what syslog facility
  6. # a sudo binary uses, run `sudo -V' as *root*.  You may have
  7. # to check /usr/include/syslog.h to map the facility number to
  8. # a name.
  10. # NOTES:
  11. #   The whitespace in the following line is made up of <TAB>
  12. #       characters, *not* spaces.  You cannot just cut and paste!
  14. #   If you edit syslog.conf you need to send syslogd a HUP signal.
  15. #   Ie: kill -HUP process_id
  17. #   Syslogd will not create new log files for you, you must first
  18. #   create the file before syslogd will log to it.  Eg.
  19. # 'touch /var/log/sudo'
  21. # $Sudo: sample.syslog.conf,v 1.3 2004/10/01 14:58:15 millert Exp $
  22. # This logs successful and failed sudo attempts to the file /var/log/sudo
  23. local2.debug                    /var/log/sudo
  24. # To log to a remote machine, use something like the following,
  25. # where "loghost" is the name of the remote machine.
  26. local2.debug                    @loghost

三、完整配置

3.1.配置sudo日志檔案

  1. #touch /var/log/sudo.log

3.2.修改/etc/syslog.conf配置檔案

local2.debug                                  /var/log/sudo.log                     #空白處不能用空格鍵,必需用tab鍵

3.3、修改/etc/sudoers配置檔案

注:不要手動修改配置檔案 ,用visudo指令修改,好處是修改出錯,儲存會彈出錯誤提示資訊,友善排錯。

  1. #visudo
  2. efaults              logfile=/var/log/sudo.log    #添加這一行

3.4、重新開機syslog服務

  1. # ps -aux | grep syslog
  2. Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ
  3. root     10367  0.0  0.1   1728   612 ?        Ss   23:10   0:00 syslogd -m 0
  4. root     10437  0.0  0.1   3920   688 pts/1    R+   23:41   0:00 grep syslog
  5. # kill -HUP 10367
  6. #/etc/init.d/syslog restart

四、成功測試

  1. # cat /var/log/sudo.log
  2. Dec 14 23:07:39 : firerat : TTY=pts/0 ; PWD=/home/firerat ; USER=root ;
  3. COMMAND=/bin/cat /etc/passwd
Linux 日志 sudo
上一篇: Docker删除日志檔案
下一篇: Kickstart無人值守批量安裝linux系統

繼續閱讀