The company's Linux server enabled sudo rights management, but there are some risks, so in order to facilitate management and follow-up maintenance, turn on the Sudo log audit function, the user executes the sudo command operation behavior record, but do not log other commands.
First, Rsyslog all operation log Audit, the information is large, inconvenient to consult later, we choose only to the Sudo log audit.
Second, use RPM-QA query whether to install the service, if you do not use the Yum install Xxxx-y installation Services
[[email protected] ~]# Rpm-qa |grep sudosudo-1.8.6p3-25.el6_8.x86_64[[email protected] ~]# rpm-qa |grep rsyslogrsyslog-5 .8.10-10.el6_6.x86_64
Third, view the current server environment
[Email protected] ~]# cat/etc/redhat-release CentOS release 6.8 (Final) [[email protected] ~]# uname-r2.6.32-642.6.2.el6 . x86_64
Iv. Configuration rsyslog.conf
[Email protected] ~]# echo "Local2.debug/var/log/sudo.log" >>/etc/rsyslog.conf[[email protected] ~]# TAIL-1/etc /rsyslog.conf Local2.debug/var/log/sudo.log
V. Configuration/etc/sudoers
[Email protected] ~]# echo "Defaults logfile=/var/log/sudo.log" >>/etc/sudoers[[email protected] ~]# tail-1/etc/ Sudoers Defaults Logfile=/var/log/sudo.log
Six, restart Rsyslog service
[Email protected] ~]#/etc/init.d/rsyslog restartshutting down system logger: [OK]start ing system logger: [OK]
Seven, switch to normal user operation
[[email protected] ~]# su-yangya[[email protected] ~]$ Pwd/home/yangya[[email protected] ~]$ touch Aaaa.py[[email Protec Ted] ~]$ sudo ls123.txt aaaa.py[[email protected] ~]$ cat aaaa.py [[email protected] ~]$ Cat/var/log/sudo.logcat:/var/l Og/sudo.log:permission denied
Viii. using privileges to see if the Sudo.log content has the above actions
[[email protected] ~]$ sudo cat /var/log/ Sudo.log may 18 09:53:51 : yangya : tty=pts/1 ; pwd=/home/yangya ; USER=root ; COMMAND=/bin/lsMay 18 09:54:04 : yangya : tty=pts/1 ; pwd=/home/yangya ; user=root ; Command=/bin/cat /var/log/sudo.logmay 18 09:55:02 : yangya : tty=pts/1 ; pwd=/home/yangya ; user=root ; command=/bin/su -may 18 10:06:18 : yangya : tty=pts/1 ; pwd=/home/yangya ; user= Root ; command=/bin/lsmay 18 10:07:31 : yangya : tty =pts/1 ; pwd=/home/yangya ; user=root ; command=/bin/cat /var/log/sudo.log
Report:
Simply stop the Rsyslog service and configure/etc/sudoers to log the user's sudo command
Logs can be regularly backed up to the specified log backup server for later review and analysis
This article is from the "richylu____ Rurei" blog, be sure to keep this source http://richylu.blog.51cto.com/1481674/1926905
Linux 6.8 sudo log audit