sudo with syslog log audit record user actions

sudo with syslog log audit

Description: The so-called sudo command log audit, does not record ordinary user's normal operation, but records those who perform the sudo command the user action

One, install sudo command, syslog service (centos6.5 for Rsyslog service )

[Email protected] ~]# rpm-qa |egrep "Sudo|syslog"

rsyslog-5.8.10-8.el6.i686

sudo-1.8.6p3-12.el6.i686

If it is not installed, install it with Yum

Second, the configuration/etc/sudoers

[Email protected] ~]# echo "Defaults logfile=/var/log/sudo.log" >>/etc/sudoers

[Email protected] ~]# tail-1/etc/sudoers

Defaults Logfile=/var/log/sudo.log

[Email protected] ~]# visudo-c #检测语法是否有错误

/etc/sudoers parsing is correct

Tip: You can not perform the following three and four steps, switch directly to the normal user to see if/var/log/sudo.log has any records

Third, configure the system log/etc/rsyslog.conf

[Email protected] ~]# echo "Local2.debug/var/log/sudo.log" >>/etc/rsyslog.conf

[Email protected] ~]# tail-1/etc/rsyslog.conf

Local2.debug/var/log/sudo.log

Four, restart the logger

[Email protected] ~]#/etc/init.d/rsyslog restart

The file/var/log/sudo.log is created automatically, and if you don't see it, exit and log back in.

The user is root, and the permissions are 600

[Email protected] ~]# Ll/var/log/sudo.log #确保只有root才可以看到

-RW-------1 root root 0 19:48/var/log/sudo.log

V. Test sudo log audit configuration results

Create a user with sudo permissions, and log in using the root user to view logs/var/log/sudo.log

[email protected] ~]$ sudo useradd ddd #删除用户测试

[Email protected] ~]# Cat/var/log/sudo.log

20:28:10:bier: no use; TTY=PTS/3; Pwd=/home/bier;

User=root; Command=/usr/sbin/useradd DDD #已经记录了用户操作

This article is from the "Bill Linux Operations Notes" blog, please be sure to keep this source http://chenshoubiao.blog.51cto.com/6159058/1880903

sudo with syslog log audit record user actions