sudo with syslog log audit
Description: The so-called sudo command log audit, does not record ordinary user's normal operation, but records those who perform the sudo command the user action
One, install sudo command, syslog service (centos6.5 for Rsyslog service )
[Email protected] ~]# rpm-qa |egrep "Sudo|syslog"
rsyslog-5.8.10-8.el6.i686
sudo-1.8.6p3-12.el6.i686
If it is not installed, install it with Yum
Second, the configuration/etc/sudoers
[Email protected] ~]# echo "Defaults logfile=/var/log/sudo.log" >>/etc/sudoers
[Email protected] ~]# tail-1/etc/sudoers
Defaults Logfile=/var/log/sudo.log
[Email protected] ~]# visudo-c #检测语法是否有错误
/etc/sudoers parsing is correct
Tip: You can not perform the following three and four steps, switch directly to the normal user to see if/var/log/sudo.log has any records
Third, configure the system log/etc/rsyslog.conf
[Email protected] ~]# echo "Local2.debug/var/log/sudo.log" >>/etc/rsyslog.conf
[Email protected] ~]# tail-1/etc/rsyslog.conf
Local2.debug/var/log/sudo.log
Four, restart the logger
[Email protected] ~]#/etc/init.d/rsyslog restart
The file/var/log/sudo.log is created automatically, and if you don't see it, exit and log back in.
The user is root, and the permissions are 600
[Email protected] ~]# Ll/var/log/sudo.log #确保只有root才可以看到
-RW-------1 root root 0 19:48/var/log/sudo.log
V. Test sudo log audit configuration results
Create a user with sudo permissions, and log in using the root user to view logs/var/log/sudo.log
[email protected] ~]$ sudo useradd ddd #删除用户测试
[Email protected] ~]# Cat/var/log/sudo.log
20:28:10:bier: no use; TTY=PTS/3; Pwd=/home/bier;
User=root; Command=/usr/sbin/useradd DDD #已经记录了用户操作
This article is from the "Bill Linux Operations Notes" blog, please be sure to keep this source http://chenshoubiao.blog.51cto.com/6159058/1880903
sudo with syslog log audit record user actions