sudo / cron / silence logging / authlog

sudo / cron / silence logging / authlog

  • Written by
    Walter Doekes
  • Published on

Do you use sudo for automated tasks? For instance to let the Zabbix agent access privileged information? Then your auth.log may look a bit flooded, like this:

Aug 30 10:51:44 sudo:   zabbix : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/sbin/iptables -S INPUT
Aug 30 10:51:44 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 30 10:51:44 sudo: pam_unix(sudo:session): session closed for user root

Or, if you run periodic jobs by root from cron, you get this:

Aug 30 11:52:01 CRON[28260]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 30 11:52:02 CRON[28260]: pam_unix(cron:session): session closed for user root

These messages obscure other relevant messages, so we want them gone.

A possible fix goes like this. Create a quietsudo systemgroup. Add the users to it for which we don’t want logging.

# addgroup --system quietsudo
# usermod -aG quietsudo planb
# usermod -aG quietsudo zabbix

Next, drop the “zabbix” sudo line, by putting this in /etc/sudoers.d/quietsudo:

# silence sudo messages in auth.log (everyone in the quietsudo group)
# > sudo:   zabbix : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/sbin/iptables -S INPUT
Defaults:%quietsudo !syslog

Then, drop the “session opened” and “session closed” lines by making these pam.d changes. We add both “cron” and “sudo” to the services we want to silence. For the latter one, we only silence the sudo calls from the quietsudo users.

--- /etc/pam.d/common-session-noninteractive
+++ /etc/pam.d/common-session-noninteractive
@@ -25,6 +25,14 @@ session  required      pam_permit.so
 # umask settings with different shells, display managers, remote sessions etc.
 # See "man pam_umask".
 session optional     pam_umask.so
+# silence CRON messages in auth.log
+# > CRON[12345]: pam_unix(cron:session): session opened for user root by (uid=0)
+# > CRON[12345]: pam_unix(cron:session): session closed for user root
+session [success=2 default=ignore] pam_succeed_if.so service in cron quiet use_uid
+# silence sudo messages in auth.log
+# > sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
+# > sudo: pam_unix(sudo:session): session closed for user root
+session [success=1 default=ignore] pam_succeed_if.so service in sudo quiet uid = 0 ruser ingroup quietsudo
 # and here are more per-package modules (the "Additional" block)
 session  required  pam_unix.so
 # end of pam-auth-update config

My pam.d FU is quite lacking, so I cannot tell you exactly why it has to be in this order. But like this it works as intended.

You may need to restart the zabbix-agent (and planb-queue) to make the new groups take effect.


Back to overview Newer post: linux / process uptime / exact Older post: powerdns / pdnsutil / remove-record