当用户从 byobu 会话和常规 shell 会话执行 su 时,我们会在日志中看到差异。使用常规会话时,/var/log/auth.log 中的行如下所示:
root@delta:/var/log# tail -n 0 -f auth.log | grep su
Aug 6 14:15:56 delta sudo: chrish : TTY=pts/3 ; PWD=/home/chrish ; USER=root ; COMMAND=/bin/su
Aug 6 14:15:56 delta sudo: pam_unix(sudo:session): session opened for user root by chrish(uid=1000)
Aug 6 14:15:56 delta su[29322]: Successful su for root by root
Aug 6 14:15:56 delta su[29322]: + /dev/pts/3 root:root
Aug 6 14:15:56 delta su[29322]: pam_unix(su:session): session opened for user root by chrish(uid=0)
但是,当该用户处于 byobu 和 su 状态时,行如下所示:
root@delta:/var/log# tail -n 0 -f auth.log | grep su
Aug 6 14:14:26 delta sudo: chrish : TTY=pts/2 ; PWD=/home/chrish ; USER=root ; COMMAND=/bin/su
Aug 6 14:14:26 delta sudo: pam_unix(sudo:session): session opened for user root by (uid=1000)
Aug 6 14:14:26 delta su[27243]: Successful su for root by root
Aug 6 14:14:26 delta su[27243]: + /dev/pts/2 root:root
Aug 6 14:14:26 delta su[27243]: pam_unix(su:session): session opened for user root by (uid=0)
注意到“为 root 用户打开的会话”行不像上面那样包含用户名吗?这是配置错误还是需要报告的错误?这导致我们的一些日志监控警报无法触发。