Что я делаю:
ввожу команду проверки NTP:
sudo ntpdate -d NTP_nameКоманда делает запись в syslog вида:
Feb 17 08:41:00 *** sudo: user_name_Vuasiya : TTY=unknown ; PWD=*** ; USER=root ; COMMAND=/usr/sbin/ntpdate -d IP***
Проблема: Эту команду я использую раз в минуту на 4-6 серверов NTP. В итоге в syslog попадает ОГРОМНАЯ куча спама.
Вопрос: я установил sudo 1.8.6p3, т.к. вычитал что в этой версии есть замечательные опции:
NOLOG_OUTPUT
Добавил в sudo:
sudo visudo
ADMIN ALL=(root) NOLOG_OUTPUT:NOPASSWD: /usr/sbin/ntpdate -d*
Но системе пофиг на NOLOG_OUTPUT, как и вообще на спецификации: LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT, NOLOG_OUTPUT.
спам в syslog не прекратился.
Я сделал решение не удовлетворяющее меня с точки зрения безопасности:
Defaults:user_name_Vuasiya !syslog
Но тогда все что делает user_name_Vuasiya в sudo не пишется в syslog. А мне надо чтобы только одна команда не писалась. Кто знает решение?
Отрывок MAN:
User specification
User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
(':' Host_List '=' Cmnd_Spec_List)*
Cmnd_Spec_List ::= Cmnd_Spec |
Cmnd_Spec ',' Cmnd_Spec_List
Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
***********************************
sudoers also supports logging a command's input and output streams.
I/O logging is not on by default but can be enabled using the
log_input and log_output Defaults flags as well as the LOG_INPUT and
LOG_OUTPUT command tags.
***********************************
LOG_INPUT and NOLOG_INPUT
These tags override the value of the log_input option on a per-command
basis. For more information, see the description of log_input in the
SUDOERS OPTIONS section below.
LOG_OUTPUT and NOLOG_OUTPUT
These tags override the value of the log_output option on a per-
command basis. For more information, see the description of
log_output in the SUDOERS OPTIONS section below.
*************************************
log_input If set, sudo will run the command in a pseudo tty
and log all user input. If the standard input is
not connected to the user's tty, due to I/O
redirection or because the command is part of a
pipeline, that input is also captured and stored in
a separate log file.
Input is logged to the directory specified by the
iolog_dir option (/var/adm/sudo-io by default) using
a unique session ID that is included in the normal
sudo log line, prefixed with ``TSID=''. The
iolog_file option may be used to control the format
of the session ID.
Note that user input may contain sensitive
information such as passwords (even if they are not
echoed to the screen), which will be stored in the
log file unencrypted. In most cases, logging the
command output via log_output is all that is required.
log_output If set, sudo will run the command in a pseudo tty
and log all output that is sent to the screen,
similar to the script(1) command. If the standard
output or standard error is not connected to the
user's tty, due to I/O redirection or because the
command is part of a pipeline, that output is also
captured and stored in separate log files.
Output is logged to the directory specified by the
iolog_dir option (/var/adm/sudo-io by default) using
a unique session ID that is included in the normal
sudo log line, prefixed with ``TSID=''. The
iolog_file option may be used to control the format
of the session ID.
Output logs may be viewed with the sudoreplay(1m)
utility, which can also be used to list or search
the available logs.
