sudo 的 log 檔內定會產生在 /var/log/secure 之下
# grep sudo /var/log/secure
Jul 15 10:32:24 localhost sudo: t850008 : TTY=pts/0 ; PWD=/home/t850008 ; USER=root ; COMMAND=/bin/cat /etc/shadow
Jul 15 10:33:51 localhost sudo: t850008 : TTY=pts/0 ; PWD=/home/t850008 ; USER=root ; COMMAND=/bin/cat /etc/shadow
Jul 15 10:33:54 localhost sudo: t850008 : TTY=pts/0 ; PWD=/home/t850008 ; USER=root ; COMMAND=/bin/cat /etc/shadow
Jul 15 10:34:23 localhost sudo: t850008 : TTY=pts/0 ; PWD=/home/t850008 ; USER=root ; COMMAND=/bin/cat /etc/shadow
Jul 15 10:44:06 localhost sudo: t850008 : command not allowed ; TTY=pts/0 ; PWD=/home/t850008 ; USER=root ; COMMAND=/sbin/shutdown -r now
不過 /var/log/secure 也包含一些以 ssh 登入的訊息和其它的內容
# grep -E ‘sshd|useradd’ /var/log/secure
Jul 13 12:23:15 localhost sshd[2542]: pam_unix(sshd:session): session closed for user root
Jul 13 12:24:48 localhost sshd[1543]: Server listening on 0.0.0.0 port 22.
Jul 13 12:24:48 localhost sshd[1543]: Server listening on :: port 22.
Jul 13 12:26:14 localhost sshd[2465]: Address 192.168.1.1 maps to linzhaongdeipad.home, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!
Jul 13 12:26:24 localhost sshd[2465]: Accepted password for root from 192.168.1.1 port 3029 ssh2
Jul 13 12:26:24 localhost sshd[2465]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul 13 12:43:50 localhost sshd[2465]: pam_unix(sshd:session): session closed for user root
Jul 13 12:45:24 localhost sshd[1286]: Server listening on 0.0.0.0 port 22.
Jul 13 12:48:10 localhost sshd[2370]: Address 192.168.1.1 maps to linzhaongdeipad.home, but this does not map back to the address – POSSIBLE BREAK-IN ATTEMPT!
Jul 13 12:48:14 localhost sshd[2370]: Accepted password for root from 192.168.1.1 port 3188 ssh2
Jul 13 12:48:14 localhost sshd[2370]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul 13 13:02:45 localhost useradd[3294]: failed adding user ‘mysql’, exit code: 9
Jul 15 10:17:17 localhost sshd[1224]: Server listening on 0.0.0.0 port 22.
Jul 15 10:18:21 localhost sshd[10248]: Accepted password for root from 192.168.1.115 port 2163 ssh2
Jul 15 10:18:21 localhost sshd[10248]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul 15 10:30:47 localhost useradd[10318]: new group: name=t850008, GID=1000
Jul 15 10:30:47 localhost useradd[10318]: new user: name=t850008, UID=1000, GID=1000, home=/home/t850008, shell=/bin/bash
將 sudo 的 log 檔單獨出來,可以簡化一些分析時的資料量
[@more@]# visudo
# add at the last line
Defaults syslog=local1
修改 syslog 設定檔
# vim /etc/rsyslog.conf
把上面這一行改成下面一行
#*.info;mail.none;authpriv.none;cron.none /var/log/messages
*.info;mail.none;authpriv.none;cron.none;local1.none /var/log/messages
加入下面這一行
local1.* /var/log/sudo.log
重新啟動 syslog 服務
# systemctl restart rsyslog
切換成 t850008 身份
# su – t850008
列出 /etc/shadow 內容
$ sudo cat /etc/shadow
列出 /var/log/sudo.log 內容
$ sudo cat /var/log/sudo.log
Jul 15 11:12:41 localhost sudo: t850008 : TTY=pts/0 ; PWD=/home/t850008 ; USER=root ; COMMAND=/bin/cat /etc/shadow
Jul 15 11:12:53 localhost sudo: t850008 : TTY=pts/0 ; PWD=/home/t850008 ; USER=root ; COMMAND=/bin/cat /var/log/sudo.log