sudo日志记录在 /var/log/auth.log 或 /var/log/secure 以及 systemd日志(/var/log/journal目录,通过journalctl查看)
保留cron执行的日志记录
1、消除/var/log/auth.log 或 /var/log/secure中的sudo日志记录
编辑文件 /etc/rsyslog.d/35-pam_unix.conf,内容为:
if $syslogtag contains 'sudo' then ~
再让配置文件生效
systemctl restart rsyslog
或
service rsyslog start
2、消除systemd日志中的sudo日志记录(ubuntu、debian系列)
修改/etc/pam.d/sudo文件
#%PAM-1.0
session [success=1 default=ignore] pam_succeed_if.so quiet uid = 0
或 session [success=done default=ignore] pam_succeed_if.so quiet uid = 0 user = root
session required pam_env.so readenv=1 user_readenv=0
session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive
Centos、华为EulerOS、Alibaba Cloud Linux系列的/etc/pam.d/sudo文件不一样
一般为
auth include system-auth
第一行加入:
session [success=done default=ignore] pam_succeed_if.so quiet uid = 0 user = root
参考:
https://unix.stackexchange.com/questions/470267/how-to-omit-pam-log-messages-for-specific-user-pam-succeed-if-quiet
改变前测试:
# sudo date
# journalctl -r 或 journalctl -n
Feb 11 11:24:48 TrustGate.com sudo[110462]: pam_unix(sudo:session): session opened for user root by root(uid=0)
Feb 11 11:24:48 TrustGate.com sudo[110462]: pam_unix(sudo:session): session closed for user root
改变后测试:
# sudo date
# journalctl -r 或 journalctl -n
<没有sudo记录>
参考:
https://unix.stackexchange.com/questions/327301/how-to-stop-sudo-pam-messages-in-auth-log-for-a-specific-user-on-ubuntu-16-04
https://unix.stackexchange.com/questions/281117/cron-pam-unixcronsession-session-opened-for-user-root-by-uid-0-is-it-a-m
[
本帖最后由 linda 于 2022-2-18 16:10 编辑 ]
