环境:
[root@123 logs]# cat /etc/redhat-release
CentOS release 6.3 (Final)
配置:
1)确保安装了下面2个软件
[root@123 test]# rpm -qa|grep syslog
rsyslog-5.8.10-2.el6.x86_64
[root@123 test]# rpm -qa|grep sudo
sudo-1.7.4p5-11.el6.x86_64
2)配置系统日志/etc/syslog.conf
[root@123 test]# echo "local2.debug /root/logs/sudo.log" >>/etc/rsyslog.conf
[root@123 test]# tail -1 /etc/rsyslog.conf
local2.debug /root/logs/sudo.log
3)配置/etc/sudoers
[root@123 test]# echo "Defaults logfile=/root/logs/sudo.log">>/etc/sudoers
[root@123 test]# tail -1 /etc/sudoers
Defaults logfile=/root/logs/sudo.log
[root@123 test]# visudo -c
/etc/sudoers: parsed OK
4)重启rsyslog,使其生效
[root@123 test]# /etc/init.d/rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
5)检查配置是否正确,运行sudo命令,查看日志
[root@123 logs]# cat sudo.log
Jan 9 23:16:57 : test : TTY=pts/1 ; PWD=/home/test ; USER=root ; COMMAND=/sbin/ifconfig
Jan 9 23:17:05 : test : command not allowed ; TTY=pts/1 ; PWD=/home/test ;
USER=root ; COMMAND=/sbin/fdisk -l
配置sudo命令的日志审计