运行环境:Debian 9
apt install sudo
apt install rsyslog
检查运行状态
systemctl status rsyslog
设置文件的路径
echo "Defaults logfile=/var/log/sudo.log" >>/etc/sudoers
错误级别写入配置文件
echo "local2.debug /var/log/sudo.log" >>/etc/rsyslog.conf
启动服务
systemctl restart rsyslog
开始监听
/var/log/sudo.log
新开一个窗口,切换非root用户
su - jesse su - 是以jesse 的纯环境变量开始运行
测试一个sudo 命令
sudo apt install apache
检查监控的日志
root@debian:~# tail -l /var/log/sudo.log
Jun 23 22:05:54 : jesse : command not allowed ; TTY=pts/1 ; PWD=/home/jesse ;
USER=root ; COMMAND=list
root@debian:~# tail -f /var/log/sudo.log
Jun 23 22:05:54 : jesse : command not allowed ; TTY=pts/1 ; PWD=/home/jesse ;
USER=root ; COMMAND=list
Jun 23 22:06:47 : jesse : user NOT in sudoers ; TTY=pts/1 ; PWD=/home/jesse ;
USER=root ; COMMAND=/usr/bin/apt install apache
可以发现,已经被完整的记录