[sudo-users] excluding commands from log_output
Todd C. Miller
Todd.Miller at courtesan.com
Sat Nov 12 18:17:05 MST 2016
On Sun, 13 Nov 2016 01:16:16 +0200, Divan Santana wrote:
> I've enabled log_output but would like to prevent certain commands from
> being logged, like top for example.
You can create a Cmnd_Alias containing the commands for which you
want to disable I/O logging. For example:
Cmnd_Alias NOIOLOG = /ust/bin/top, /usr/bin/ps
Defaults!NOIOLOG !log_output
> Lastly, would the above work in this scenario:
> bob at host:$ sudo su - root
> root at host:# top
>
> Ie, when one invokes the top command sometime after sudo, during the
> sudo "session".
No, that won't work since sudo would log the entire "su" session.
Note that top is not entirely benign, however, since you can use
it to kill or renice arbitrary processes.
- todd
More information about the sudo-users
mailing list