所谓日志审计,就是记录所有系统及相关用户行为的信息,并且可以自动分析、处理、展示(包括文本或者录像)
推荐方法:sudo配合syslog服务,进行日志审计(信息较少,效果不错)
1.安装sudo命令、syslog服务(centos6.4或以上为rsyslog服务)
[root@nginx_back ~]#rpm -qa "sudo|syslog" 查询系统是否已安装sudo、syslog程序
rsyslog-5.8.10-8.el6.x86_64
sudo-1.8.6p3-15.el6.x86_64
[root@nginx_back ~]#rpm -qa|egrep "sudo|syslog"
rsyslog-5.8.10-8.el6.x86_64
sudo-1.8.6p3-15.el6.x86_64
如果没有安装,则用yum安装
2.配置/etc/sudoers
增加配置“Defaults logfile=/var/log/sudo.log”到/etc/sudoers中,注意:不包含引号
[root@nginx_back ~]#echo "Defaults logfile=/var/log/sudo.log">>/etc/sudoers
[root@nginx_back ~]#tail /etc/sudoers
## Allows members of the users group to mount and unmount the
## cdrom as root
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
Defaults logfile=/var/log/sudo.log
[root@nginx_back ~]#tail -1 /etc/sudoers
Defaults logfile=/var/log/sudo.log
[root@nginx_back ~]#visudo -c 检查sudoers文件语法
/etc/sudoers: parsed OK
3.配置系统日志/etc/syslog.conf
增加配置local2.debug到/etc/syslog.conf中(Centos5.8中)
[root@nginx_back ~]#echo "local2.debug /var/log/sudo.log">>/etc/syslog.conf
[root@nginx_back ~]#tail -1 /etc/syslog.conf
local2.debug /var/log/sudo.log
提示:如果是Centos6.4 路径为/etc/rsyslog.conf
[root@nginx_back ~]#echo "local2.debug /var/log/sudo.log">>/etc/rsyslog.conf
[root@nginx_back ~]#tail -1 /etc/rsyslog.conf
local2.debug /var/log/sudo.log
4.重启syslog或rsyslog内核日志记录器
/etc/init.d/syslog restart(Centos5.8)
/etc/init.d/rsyslog restart(Centos6.4)
[root@nginx_back ~]#/etc/init.d/rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
[root@nginx_back ~]#ll /var/log/sudo.log
-rw------- 1 root root 0 Jun 23 23:17 /var/log/sudo.log
5.测试sudo日志审计配置结果
[root@nginx_back ~]#whoami
root
[root@nginx_back ~]#su - ci001
-bash: warning: setlocale: LC_CTYPE: cannot change locale (en): No such file or directory
-bash: warning: setlocale: LC_COLLATE: cannot change locale (en): No such file or directory
-bash: warning: setlocale: LC_MESSAGES: cannot change locale (en): No such file or directory
-bash: warning: setlocale: LC_NUMERIC: cannot change locale (en): No such file or directory
-bash: warning: setlocale: LC_TIME: cannot change locale (en): No such file or directory
welcome to oldboy linux training from /etc/profile.d
[ci001@nginx_back ~]$ sudo -l
[sudo] password for ci001:
Sorry, user ci001 may not run sudo on nginx_back.
[ci001@nginx_back ~]$ sudo useradd dddd
[sudo] password for ci001:
ci001 is not in the sudoers file. This incident will be reported.
[ci001@nginx_back ~]$ logout
[root@nginx_back ~]#ll /var/log/sudo.log
-rw------- 1 root root 232 Jun 23 23:21 /var/log/sudo.log
[root@nginx_back ~]#cat /var/log/sudo.log
Jun 23 23:20:44 : ci001 : command not allowed ; TTY=pts/0 ; PWD=/home/ci001 ;
USER=root ; COMMAND=list
Jun 23 23:21:17 : ci001 : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/ci001 ;
USER=root ; COMMAND=/usr/sbin/useradd dddd
[root@nginx_back ~]#su - php001
-bash: warning: setlocale: LC_CTYPE: cannot change locale (en): No such file or directory
-bash: warning: setlocale: LC_COLLATE: cannot change locale (en): No such file or directory
-bash: warning: setlocale: LC_MESSAGES: cannot change locale (en): No such file or directory
-bash: warning: setlocale: LC_NUMERIC: cannot change locale (en): No such file or directory
-bash: warning: setlocale: LC_TIME: cannot change locale (en): No such file or directory
welcome to oldboy linux training from /etc/profile.d
[php001@nginx_back ~]$ whoami
php001
[php001@nginx_back ~]$ sudo su -
[sudo] password for php001:
Sorry, try again.
[sudo] password for php001:
php001 is not in the sudoers file. This incident will be reported.
[php001@nginx_back ~]$ sudo echo "php001 ALL=(ALL) NOPASSWD:ALL">>/etc/sudoers
-bash: /etc/sudoers: Permission denied
[php001@nginx_back ~]$ sudo vi /etc/sudoers
[sudo] password for php001:
php001 is not in the sudoers file. This incident will be reported.
[php001@nginx_back ~]$ sudo visudo
[sudo] password for php001:
php001 is not in the sudoers file. This incident will be reported.
[php001@nginx_back ~]$ logout
[root@nginx_back ~]#cat /var/log/sudo.log
Jun 23 23:20:44 : ci001 : command not allowed ; TTY=pts/0 ; PWD=/home/ci001 ;
USER=root ; COMMAND=list
Jun 23 23:21:17 : ci001 : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/ci001 ;
USER=root ; COMMAND=/usr/sbin/useradd dddd
Jun 23 23:26:56 : php001 : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/php001 ;
USER=root ; COMMAND=/bin/su -
Jun 23 23:28:55 : php001 : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/php001 ;
USER=root ; COMMAND=/bin/vi /etc/sudoers
Jun 23 23:29:18 : php001 : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/php001 ;
USER=root ; COMMAND=/usr/sbin/visudo
6.日志集中管理
1)rsync+inotify或定时任务+rsync,推到日志管理服务器上,10.0.0.7_20120309.sudo.log
2)syslog服务来处理
[root@MySQL-A~]#echo "10.0.2.164 logserver">>/etc/hosts
#日志服务器地址
[root@MySQL-A~]#echo "*.info @logserver">>/etc/syslog.conf<<====适合所有日志推走
3)日志收集解决方案scribe、Flume、logstash、stom
