如何在 Ubuntu 16.04 上为特定用户停止 auth.log 中的 sudo PAM 消息?

如何在 Ubuntu 16.04 上为特定用户停止 auth.log 中的 sudo PAM 消息?

我使用的是 Ubuntu 16.04,我试图阻止/var/auth.log被定期检查网络上某些主机是否处于活动状态的脚本淹没。该脚本内部使用sudowith nmap

我的文件中有这个/etc/pam.d/sudo

#%PAM-1.0

session [success=1 default=ignore] pam_succeed_if.so quiet uid = 0 ruser = deployer
session [success=1 default=ignore] pam_succeed_if.so quiet uid = 0

session    required   pam_env.so readenv=1 user_readenv=0
session    required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive

session [success=1 default=ignore] pam_succeed_if.so quiet uid = 0 ruser = deployer
session [success=1 default=ignore] pam_succeed_if.so quiet uid = 0

但是,我仍然在 /var/log/auth.log 中看到以下内容:

Dec  1 10:27:43 TimeBox sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec  1 10:27:44 TimeBox sudo: deployer : TTY=unknown ; PWD=/data/deployer/timeagent ; USER=root ; COMMAND=/usr/bin/nmap -sn -PR -n -v0 -oX /tmp/nmap.xml20161201-5387-rn90pj 192.168.88.16
Dec  1 10:27:44 TimeBox sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec  1 10:27:44 TimeBox sudo: deployer : TTY=unknown ; PWD=/data/deployer/timeagent ; USER=root ; COMMAND=/usr/bin/nmap -sn -PR -n -v0 -oX /tmp/nmap.xml20161201-5387-dni0n5 192.168.88.20
Dec  1 10:27:44 TimeBox sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec  1 10:27:44 TimeBox sudo: deployer : TTY=unknown ; PWD=/data/deployer/timeagent ; USER=root ; COMMAND=/usr/bin/nmap -sn -PR -n -v0 -oX /tmp/nmap.xml20161201-5387-1vk93k7 192.168.88.19
Dec  1 10:27:44 TimeBox sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec  1 10:27:44 TimeBox sudo: deployer : TTY=unknown ; PWD=/data/deployer/timeagent ; USER=root ; COMMAND=/usr/bin/nmap -sn -PR -n -v0 -oX /tmp/nmap.xml20161201-5387-j4hcxl 192.168.88.21
Dec  1 10:27:44 TimeBox sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec  1 10:27:44 TimeBox sudo: deployer : TTY=unknown ; PWD=/data/deployer/timeagent ; USER=root ; COMMAND=/usr/bin/nmap -sn -PR -n -v0 -oX /tmp/nmap.xml20161201-5387-6krabn 192.168.88.13

有什么想法我做错了吗?

答案1

问题似乎出在 @include common-session-noninteractive - 这对我来说在 /etc/pam.d/sudo 中有效:

  #%PAM-1.0

  session [success=1 default=ignore] pam_succeed_if.so quiet uid = 0 ruser = deployer
  session    required   pam_env.so readenv=1 user_readenv=0
  session    required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0

  @include common-auth
  @include common-account
  # @include common-session-noninteractive

我还创建了 /etc/rsyslog.d/35-pam_unix.conf 以防止记录实际的 sudo 行:

if $syslogtag contains 'sudo' and $msg contains '/data/deployer/timeagent' then ~

答案2

你3个选择:

  • 以 root 身份运行 nmap
  • 在系统日志级别执行过滤器正则表达式
  • 修改源

第一种是推荐的方式。

相关内容