根据Toby的回答,我找到了一种在Debian / Ubuntu上以略有不同的方式进行配置的方法。有关上下文,请参见:
因此Debian / Ubuntu拥有以下pam-auth-update
命令,当您查看/etc/pam.d/sudo
它时,它看起来像这样:
#%PAM-1.0
@include common-auth
@include common-account
@include common-session-noninteractive
和/etc/pam.d/common-session-noninteractive
看起来像这样:
#
# /etc/pam.d/common-session-noninteractive - session-related modules
# common to all non-interactive services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of all non-interactive sessions.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
# end of pam-auth-update config
可以肯定的是,我可以编辑上述任何一个文件,但显然这里有一些“更高的功能”。如何使我的更改与可能要添加pam规则的其他程序包配合使用?最重要的是,我似乎不能像这样/etc/pam.d/sudo
在两者之间添加一行@include
。
##### THIS DIDN'T WORK :( ######
@include common-auth
@include common-account
session [default=ignore] pam_succeed_if.so quiet_success service = sudo uid = 0 ruser = myappuser
@include common-session-noninteractive
在阅读了上述链接以及其他示例(请参阅参考资料/usr/share/pam-configs/unix
)之后,我想到了/usr/share/pam-configs/myapp
:
# Don't log "session opened" messages for myapp user
# See: https://wiki.ubuntu.com/PAMConfigFrameworkSpec
# https://manpages.debian.org/stretch/libpam-modules/pam_succeed_if.8.en.html
Name: myapp disable session logging
Default: yes
Priority: 300
Session-Type: Additional
Session:
[default=ignore] pam_succeed_if.so quiet_success service = sudo uid = 0 ruser = myappuser
Session
并Session-Type
控制要编辑的文件并Priority
定义它们的执行顺序。添加该文件并运行后pam-auth-update
,/etc/pam.d/common-session-noninteractive
如下所示(在底部:)
#... omitted
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session [default=ignore] pam_succeed_if.so quiet_success service = sudo uid = 0 ruser = myappuser
session required pam_unix.so
# end of pam-auth-update config
...这是我们想要的,因为我们的pam_succeed_if
生产线需要先行session required pam_unix.so
。(这条线来自 /use/share/pam-configs/unix
并具有Priority: 256
因此第二结束。)另请注意,我离开了service = sudo
谓词,因为common-session-noninteractive
也可能是包含在除此之外其它CONFIGS sudo
。
就我而言,我已经打包我的代码作为一个.deb安装,所以我加入了/usr/share/pam-configs/myapp
文件,并添加pam-auth-update --package
到我postinst
和prerm
剧本,我好去!
警告...
如果您阅读我上面链接的PAMConfigFrameworkSpec文章,则它定义了一个Session-Interactive-Only
选项,但没有办法仅指定非交互式规则。所以,/etc/pam.d/common-session
在还更新。我认为这没有办法。如果您可以不用为该用户记录交互式会话(这是一个服务帐户,对吗?),那么就可以了!
奖励:如何还删除sudo日志输出
除了session openened|closed
PAM发出的行sudo
之外,还记录有关正在运行的命令的其他信息。看起来像这样:
[user] : TTY=unknown ; PWD=... ; USER=root ; COMMAND=...
如果您也想删除它,请打开此链接,然后在下面继续...
所以...您可能熟悉典型的/etc/sudoers.d/___
设置,该设置可能会为需要超级用户特权的服务帐户执行以下操作:
myuser ALL=(ALL) NOPASSWD: /bin/ping
那可能会进入/etc/sudoers.d/10_myuser
。好,您还可以指定Defaults
。请特别注意此语法'Defaults' ':' User_List
现在,查看SUDOERS OPTIONS部分。有趣的位包括log_input
,log_output
但(可能)更重要的是syslog
和logfile
。在我看来,在最新版本的Debian中,rsyslog或sudo
登录到stdout
或stderr
默认为。因此,对我而言,这显示在我的服务的日志日志中,而不是例如/var/log/auth.log
不会混入我的应用程序日志的地方。为了删除sudo日志记录,我向其中添加了以下内容/etc/sudoers.d/10_myuser
:
Defaults:myuser !logfile, !syslog
myuser ALL=(ALL) NOPASSWD: /bin/ping
YMMV,如果您认为禁用日志记录会导致安全审核出现问题,您也可以尝试通过rsyslog筛选器解决此问题。
session closed for user root
,如果我过滤了它,实际上是在过滤所有消息。我想要消息中未提及的特定用户,因此无法按名称过滤...