centos5.5中sudo日志文件的创建与跟踪

# cat /etc/redhat-release 
CentOS release 5.5 (Final)
# rpm -qa | grep sudo
sudo-1.7.2p1-5.el5
[root@jbxue log]# rpm -ql  sudo
/usr/share/doc/sudo-1.7.2p1/sample.sudoers
/usr/share/doc/sudo-1.7.2p1/sample.syslog.conf

[root@jbxue ~]# cat /usr/share/doc/sudo-1.7.2p1/sample.sudoers 
#
# Sample /etc/sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# $Sudo: sample.sudoers,v 1.29 2008/10/03 19:55:57 millert Exp $
 
##
# Override built-in defaults
##
Defaults        syslog=auth
Defaults>root       !set_logname
Defaults:FULLTIMERS !lecture
Defaults:millert    !authenticate
Defaults@SERVERS    log_year, logfile=/var/log/sudo.log
Defaults!PAGERS     noexec
 
##
# User alias specification
##
User_Alias  FULLTIMERS = millert, mikef, dowdy
User_Alias  PARTTIMERS = bostley, jwfox, crawl
User_Alias  WEBMASTERS = will, wendy, wim
 
##
# Runas alias specification
##
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
 
##
# Host alias specification
##
Host_Alias  SPARC = bigtime, eclipse, moet, anchor:
        SGI = grolsch, dandelion, black:
        ALPHA = widget, thalamus, foobar:
        HPPA = boa, nag, python
Host_Alias  CUNETS = 128.138.0.0/255.255.0.0
Host_Alias  CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
Host_Alias  SERVERS = master, mail, www, ns
Host_Alias  CDROM = orion, perseus, hercules
 
##
# Cmnd alias specification
##
Cmnd_Alias  DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore,
            /usr/sbin/rrestore, /usr/bin/mt
Cmnd_Alias  KILL = /usr/bin/kill
Cmnd_Alias  PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias  SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias  HALT = /usr/sbin/halt
Cmnd_Alias  REBOOT = /usr/sbin/reboot
Cmnd_Alias  SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,
             /usr/local/bin/tcsh, /usr/bin/rsh,
             /usr/local/bin/zsh
Cmnd_Alias  SU = /usr/bin/su
Cmnd_Alias  VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh,
               /usr/bin/chfn
Cmnd_Alias  PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
 
##
# User specification
##
 
# root and users in group wheel can run anything on any machine as any user
root        ALL = (ALL) ALL
%wheel      ALL = (ALL) ALL
 
# full time sysadmins can run anything on any machine without a password
FULLTIMERS  ALL = NOPASSWD: ALL
 
# part time sysadmins may run anything but need a password
PARTTIMERS  ALLALL = ALL
 
# jack may run anything on machines in CSNETS
jack        CSNETS = ALL
 
# lisa may run any command on any host in CUNETS (a class B network)
lisa        CUNETS = ALL
 
# operator may run maintenance commands and anything in /usr/oper/bin/
operator    ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,
        sudoedit /etc/printcap, /usr/oper/bin/
 
# joe may su only to operator
joe     ALL = /usr/bin/su operator
 
# pete may change passwords for anyone but root on the hp snakes
pete        HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
 
# bob may run anything on the sparc and sgi machines as any user
# listed in the Runas_Alias "OP" (ie: root and operator)
bob     SPARC = (OP) ALL : SGI = (OP) ALL 
 
# jim may run anything on machines in the biglab netgroup
jim     +biglab = ALL
 
# users in the secretaries netgroup need to help manage the printers
# as well as add and remove users
+secretaries    ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
 
# fred can run commands as oracle or sybase without a password
fred        ALL = (DB) NOPASSWD: ALL
 
# on the alphas, john may su to anyone but root and flags are not allowed
john        ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
 
# jen can run anything on all machines except the ones
# in the "SERVERS" Host_Alias
jen     ALL, !SERVERS = ALL
 
# jill can run any commands in the directory /usr/bin/, except for
# those in the SU and SHELLS aliases.
jill        SERVERS = /usr/bin/, !SU, !SHELLS
 
# steve can run any command in the directory /usr/local/op_commands/
# as user operator.
steve       CSNETS = (operator) /usr/local/op_commands/
 
# matt needs to be able to kill things on his workstation when
# they get hung.
matt        valkyrie = KILL
 
# users in the WEBMASTERS User_Alias (will, wendy, and wim)
# may run any command as user www (which owns the web pages)
# or simply su to www.
WEBMASTERS  www = (www) ALL, (root) /usr/bin/su www
 
# anyone can mount/unmount a cd-rom on the machines in the CDROM alias
ALL     CDROM = NOPASSWD: /sbin/umount /CDROM,
        /sbin/mount -o nosuid,nodev /dev/cd0a /CDROM
[root@jbxue ~]# cat /usr/share/doc/sudo-1.7.2p1/sample.syslog.conf 
# This is a sample syslog.conf fragment for use with Sudo.
#
# Sudo logs to local2 by default, but this is changable via the
# --with-logfac configure option.  To see what syslog facility
# a sudo binary uses, run `sudo -V' as *root*.  You may have
# to check /usr/include/syslog.h to map the facility number to
# a name.
#
# NOTES:
#   The whitespace in the following line is made up of <TAB>
#       characters, *not* spaces.  You cannot just cut and paste!
#
#   If you edit syslog.conf you need to send syslogd a HUP signal.
#   Ie: kill -HUP process_id
#
#   Syslogd will not create new log files for you, you must first
#   create the file before syslogd will log to it.  Eg.
#   'touch /var/log/sudo'
#
# $Sudo: sample.syslog.conf,v 1.3 2004/10/01 14:58:15 millert Exp $
 
# This logs successful and failed sudo attempts to the file /var/log/sudo
local2.debug  /var/log/sudo 
 
# To log to a remote machine, use something like the following,
# where "loghost" is the name of the remote machine.
local2.debug  @loghost