由于管理的服务器不多，而且都是我一个人管，但公司发展越来越快，服务器也越来越多，人手也添加了，但不能一直都用root账号人手一份，为了安全和管理控制，决定部署sudo。sudo默认安装在系统里，配置日志文件跟踪的时候遇到问题，无论怎么操作，就是不能写入sudo日志。参考了网上的N多文章 ，都不能解决问题，其中的奥秘就在于他们都省略了一步。所以部署东西，最好还是先看官方文档为先，遇到小部份难题在google为好。

一、实验环境

1. # cat /etc/redhat-release  

2. CentOS release 5.5 (Final)

3. # rpm -qa | grep sudo

4. sudo-1.7.2p1-5.el5

5. [root@CentOS-A log]# rpm -ql  sudo

6. /usr/share/doc/sudo-1.7.2p1/sample.sudoers

7. /usr/share/doc/sudo-1.7.2p1/sample.syslog.conf

二、参考资料

注：留意我标明红色的地方，这些是成功配置所在。

1. [root@CentOS-A ~]# cat /usr/share/doc/sudo-1.7.2p1/sample.sudoers  

2. #

3. # Sample /etc/sudoers file.

4. #

5. # This file MUST be edited with the 'visudo' command as root.

6. #

7. # See the sudoers man page for the details on how to write a sudoers file.

8. #

9. # $Sudo: sample.sudoers,v 1.29 2008/10/03 19:55:57 millert Exp $

11. ##

12. # Override built-in defaults

13. ##

14. Defaults        syslog=auth

15. Defaults>root       !set_logname

16. Defaults:FULLTIMERS !lecture

17. Defaults:millert    !authenticate

18. Defaults@SERVERS    log_year, logfile=/var/log/sudo.log

19. Defaults!PAGERS     noexec

21. ##

22. # User alias specification

23. ##

24. User_Alias  FULLTIMERS = millert, mikef, dowdy

25. User_Alias  PARTTIMERS = bostley, jwfox, crawl

26. User_Alias  WEBMASTERS = will, wendy, wim

28. ##

29. # Runas alias specification

30. ##

31. Runas_Alias OP = root, operator

32. Runas_Alias DB = oracle, sybase

34. ##

35. # Host alias specification

36. ##

37. Host_Alias  SPARC = bigtime, eclipse, moet, anchor:\

38. SGI = grolsch, dandelion, black:\

39. ALPHA = widget, thalamus, foobar:\

40. HPPA = boa, nag, python

41. Host_Alias  CUNETS = 128.138.0.0/255.255.0.0

42. Host_Alias  CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0

43. Host_Alias  SERVERS = master, mail, www, ns

44. Host_Alias  CDROM = orion, perseus, hercules

46. ##

47. # Cmnd alias specification

48. ##

49. Cmnd_Alias  DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \

50.            /usr/sbin/rrestore, /usr/bin/mt

51. Cmnd_Alias  KILL = /usr/bin/kill

52. Cmnd_Alias  PRINTING = /usr/sbin/lpc, /usr/bin/lprm

53. Cmnd_Alias  SHUTDOWN = /usr/sbin/shutdown

54. Cmnd_Alias  HALT = /usr/sbin/halt

55. Cmnd_Alias  REBOOT = /usr/sbin/reboot

56. Cmnd_Alias  SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \

57.             /usr/local/bin/tcsh, /usr/bin/rsh, \

58.             /usr/local/bin/zsh

59. Cmnd_Alias  SU = /usr/bin/su

60. Cmnd_Alias  VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \

61.               /usr/bin/chfn

62. Cmnd_Alias  PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less

64. ##

65. # User specification

66. ##

68. # root and users in group wheel can run anything on any machine as any user

69. root        ALL = (ALL) ALL

70. %wheel      ALL = (ALL) ALL

72. # full time sysadmins can run anything on any machine without a password

73. FULLTIMERS  ALL = NOPASSWD: ALL

75. # part time sysadmins may run anything but need a password

76. PARTTIMERS  ALLALL = ALL

78. # jack may run anything on machines in CSNETS

79. jack        CSNETS = ALL

81. # lisa may run any command on any host in CUNETS (a class B network)

82. lisa        CUNETS = ALL

84. # operator may run maintenance commands and anything in /usr/oper/bin/

85. operator    ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\

86.        sudoedit /etc/printcap, /usr/oper/bin/

88. # joe may su only to operator

89. joe     ALL = /usr/bin/su operator

91. # pete may change passwords for anyone but root on the hp snakes

92. pete        HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root

94. # bob may run anything on the sparc and sgi machines as any user

95. # listed in the Runas_Alias "OP" (ie: root and operator)

96. bob     SPARC = (OP) ALL : SGI = (OP) ALL

98. # jim may run anything on machines in the biglab netgroup

99. jim     +biglab = ALL

101. # users in the secretaries netgroup need to help manage the printers

102. # as well as add and remove users

103. +secretaries    ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser

105. # fred can run commands as oracle or sybase without a password

106. fred        ALL = (DB) NOPASSWD: ALL

108. # on the alphas, john may su to anyone but root and flags are not allowed

109. john        ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*

111. # jen can run anything on all machines except the ones

112. # in the "SERVERS" Host_Alias

113. jen     ALL, !SERVERS = ALL

115. # jill can run any commands in the directory /usr/bin/, except for

116. # those in the SU and SHELLS aliases.

117. jill        SERVERS = /usr/bin/, !SU, !SHELLS

119. # steve can run any command in the directory /usr/local/op_commands/

120. # as user operator.

121. steve       CSNETS = (operator) /usr/local/op_commands/

123. # matt needs to be able to kill things on his workstation when

124. # they get hung.

125. matt        valkyrie = KILL

127. # users in the WEBMASTERS User_Alias (will, wendy, and wim)

128. # may run any command as user www (which owns the web pages)

129. # or simply su to www.

130. WEBMASTERS  www = (www) ALL, (root) /usr/bin/su www

132. # anyone can mount/unmount a cd-rom on the machines in the CDROM alias

133. ALL     CDROM = NOPASSWD: /sbin/umount /CDROM,\

134.        /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM

1. [root@CentOS-A ~]# cat /usr/share/doc/sudo-1.7.2p1/sample.syslog.conf

2. # This is a sample syslog.conf fragment for use with Sudo.

3. #

4. # Sudo logs to local2 by default, but this is changable via the

5. # --with-logfac configure option.  To see what syslog facility

6. # a sudo binary uses, run `sudo -V' as *root*.  You may have

7. # to check /usr/include/syslog.h to map the facility number to

8. # a name.

9. #

10. # NOTES:

11. #   The whitespace in the following line is made up of <TAB>

12. #       characters, *not* spaces.  You cannot just cut and paste!

13. #

14. #   If you edit syslog.conf you need to send syslogd a HUP signal.

15. #   Ie: kill -HUP process_id

16. #

17. #   Syslogd will not create new log files for you, you must first

18. #   create the file before syslogd will log to it.  Eg.

19. # 'touch /var/log/sudo'

20. #

21. # $Sudo: sample.syslog.conf,v 1.3 2004/10/01 14:58:15 millert Exp $

23. # This logs successful and failed sudo attempts to the file /var/log/sudo

24. local2.debug                    /var/log/sudo

26. # To log to a remote machine, use something like the following,

27. # where "loghost" is the name of the remote machine.

28. local2.debug                    @loghost

三、完整配置

3.1.配置sudo日志文件

1. ＃touch /var/log/sudo.log

3.2.修改/etc/syslog.conf配置文件

local2.debug                                  /var/log/sudo.log                     #空白处不能用空格键,必需用tab键

3.3、修改/etc/sudoers配置文件

注：不要手动修改配置文件 ，用visudo命令修改，好处是修改出错，保存会弹出错误提示信息，方便排错。

1. ＃visudo

2. efaults              logfile=/var/log/sudo.log    #添加这一行

3.4、重启syslog服务

1. # ps -aux | grep syslog

3. Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ

5. root     10367  0.0  0.1   1728   612 ?        Ss   23:10   0:00 syslogd -m 0

7. root     10437  0.0  0.1   3920   688 pts/1    R+   23:41   0:00 grep syslog

9. # kill -HUP 10367

10. ＃/etc/init.d/syslog restart

四、成功测试

1. # cat /var/log/sudo.log

3. Dec 14 23:07:39 : firerat : TTY=pts/0 ; PWD=/home/firerat ; USER=root ;

5. COMMAND=/bin/cat /etc/passwd

临高人社区：http://www.lingaoren.com

本文出自 “” 博客，请务必保留此出处