I am using Zabbix for monitoring my environment and zabbix_agentd
executes as user zabbix
one custom script every 60 seconds; it uses sudo
to run this script as root
.
In /var/log/auth.log
I see every 60 seconds:
Aug 11 17:40:32 my-server sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 11 17:40:32 my-server sudo: pam_unix(sudo:session): session closed for user root
I want to stop this message from flooding my log. I added the following line to /etc/pam.d/sudo
file, immediately before session required pam_unix.so
:
session [success=1 default=ignore] pam_succeed_if.so service in sudo quiet uid = 0
and the message disappeared.
But the problem is that this way I have suppressed every PAM message when someone is executing a script with sudo
as root
.
I want to stop the message only for user zabbix
(not all other users). sudo
knows that zabbix
user wants to execute the script with root
privileges and is there any way to tell PAM that? How can I tell PAM not to log for a specific user when using sudo
?
Note: I tried filtering the messages in syslog; although this works, it has the same problem as the above, namely that it is too indiscriminate, as the log message does not indicate which user is becoming root.
Best Answer
You seem pretty close with your PAM conf line:
Looking at the manual page for
pam_succeed_if
, I think you want to test that the requesting user (ruser
) iszabbix
.So I suggest:
That will suppress the next test when user
zabbix
becomesroot
(but no other transitions). I've tested this with a pair of my own users.Remove the
uid = 0
test in the above if you want to keep quiet aboutzabbix
becoming any user, rather than just root.I removed the
service in sudo
test: it's redundant given that this line is in/etc/pam.d/sudo
.