Linux Log audit project case (production environment log audit project solution)

Linux Log audit project case (production environment log audit project solution)

Log auditing records information about all systems and related user behaviors and can be automatically analyzed, processed, and displayed (including text or video recordings)

Recommended method: Use sudo with the syslog service for log auditing (with less information and good results)

1. Install the sudo command and syslog Service (CentOS6.4 or above is the rsyslog Service)

[Root @ nginx_back ~] # Rpm-qa "sudo | syslog" query system whether the sudo and syslog programs are installed

Rsyslog-5.8.10-8.el6.x86_64
Sudo-1.8.6p3-15.el6.x86_64
[Root @ nginx_back ~] # Rpm-qa | egrep "sudo | syslog"
Rsyslog-5.8.10-8.el6.x86_64
Sudo-1.8.6p3-15.el6.x86_64

If not, use yum to install

2. Configure/etc/sudoers

Add "Defaults logfile =/var/log/sudo. log" to/etc/sudoers. Note: No quotation marks are included.

[Root @ nginx_back ~] # Echo "Defaults logfile =/var/log/sudo. log">/etc/sudoers

[Root @ nginx_back ~] # Tail/etc/sudoers

# Allows members of the users group to mount and unmount
# Cdrom as root
# % Users ALL =/sbin/mount/mnt/cdrom,/sbin/umount/mnt/cdrom
# Allows members of the users group to shutdown this system
# % Users localhost =/sbin/shutdown-h now
# Read drop-in files from/etc/sudoers. d (the # here does not mean a comment)
# Includedir/etc/sudoers. d
Defaults logfile =/var/log/sudo. log

[Root @ nginx_back ~] # Tail-1/etc/sudoers
Defaults logfile =/var/log/sudo. log [root @ nginx_back ~] # Visudo-c check the sudoers file syntax

/Etc/sudoers: parsed OK

3. configure system logs/etc/syslog. conf

Add local2.debug to/etc/syslog. conf (in Centos5.8)

[Root @ nginx_back ~] # Echo "local2.debug/var/log/sudo. log">/etc/syslog. conf

[Root @ nginx_back ~] # Tail-1/etc/syslog. conf

Local2.debug/var/log/sudo. log

Tip: If Centos6.4 is in the/etc/rsyslog. conf path

[Root @ nginx_back ~] # Echo "local2.debug/var/log/sudo. log">/etc/rsyslog. conf

[Root @ nginx_back ~] # Tail-1/etc/rsyslog. conf

Local2.debug/var/log/sudo. log

4. Restart syslog or rsyslog kernel Logger

/Etc/init. d/syslog restart (Centos5.8)

/Etc/init. d/rsyslog restart (Centos6.4)

[Root @ nginx_back ~] #/Etc/init. d/rsyslog restart

Shutting down system logger: [OK]

Starting system logger: [OK]

[Root @ nginx_back ~] # Ll/var/log/sudo. log

-Rw ------- 1 root 0 Jun 23/var/log/sudo. log

5. Test The sudo log audit configuration results

[Root @ nginx_back ~] # Whoami
Root
[Root @ nginx_back ~] # Su-ci001
-Bash: warning: setlocale: LC_CTYPE: cannot change locale (en): No such file or directory
-Bash: warning: setlocale: LC_COLLATE: cannot change locale (en): No such file or directory
-Bash: warning: setlocale: LC_MESSAGES: cannot change locale (en): No such file or directory
-Bash: warning: setlocale: LC_NUMERIC: cannot change locale (en): No such file or directory
-Bash: warning: setlocale: LC_TIME: cannot change locale (en): No such file or directory
Welcome to oldboy linux training from/etc/profile. d
[Ci001 @ nginx_back ~] $ Sudo-l
[Sudo] password for ci001:
Sorry, user ci001 may not run sudo on nginx_back.
[Ci001 @ nginx_back ~] $ Sudo useradd dddd
[Sudo] password for ci001:
Ci001 is not in the sudoers file. This incident will be reported.
[Ci001 @ nginx_back ~] $ Logout
[Root @ nginx_back ~] # Ll/var/log/sudo. log
-Rw ------- 1 root 232 Jun 23 23:21/var/log/sudo. log
[Root @ nginx_back ~] # Cat/var/log/sudo. log
Jun 23 23:20:44: ci001: command not allowed; TTY = pts/0; PWD =/home/ci001;
USER = root; COMMAND = list
Jun 23 23:21:17: ci001: user NOT in sudoers; TTY = pts/0; PWD =/home/ci001;
USER = root; COMMAND =/usr/sbin/useradd dddd
[Root @ nginx_back ~] # Su-php001
-Bash: warning: setlocale: LC_CTYPE: cannot change locale (en): No such file or directory
-Bash: warning: setlocale: LC_COLLATE: cannot change locale (en): No such file or directory
-Bash: warning: setlocale: LC_MESSAGES: cannot change locale (en): No such file or directory
-Bash: warning: setlocale: LC_NUMERIC: cannot change locale (en): No such file or directory
-Bash: warning: setlocale: LC_TIME: cannot change locale (en): No such file or directory
Welcome to oldboy linux training from/etc/profile. d
[Php001 @ nginx_back ~] $ Whoami
Php001
[Php001 @ nginx_back ~] $ Sudo su-
[Sudo] password for php001:
Sorry, try again.
[Sudo] password for php001:
Php001 is not in the sudoers file. This incident will be reported.
[Php001 @ nginx_back ~] $ Sudo echo "php001 ALL = (ALL) NOPASSWD: ALL">/etc/sudoers
-Bash:/etc/sudoers: Permission denied
[Php001 @ nginx_back ~] $ Sudo vi/etc/sudoers
[Sudo] password for php001:
Php001 is not in the sudoers file. This incident will be reported.
[Php001 @ nginx_back ~] $ Sudo multiple do
[Sudo] password for php001:
Php001 is not in the sudoers file. This incident will be reported.
[Php001 @ nginx_back ~] $ Logout
[Root @ nginx_back ~] # Cat/var/log/sudo. log
Jun 23 23:20:44: ci001: command not allowed; TTY = pts/0; PWD =/home/ci001;
USER = root; COMMAND = list
Jun 23 23:21:17: ci001: user NOT in sudoers; TTY = pts/0; PWD =/home/ci001;
USER = root; COMMAND =/usr/sbin/useradd dddd
Jun 23 23:26:56: php001: user NOT in sudoers; TTY = pts/0; PWD =/home/php001;
USER = root; COMMAND =/bin/su-
Jun 23 23:28:55: php001: user NOT in sudoers; TTY = pts/0; PWD =/home/php001;
USER = root; COMMAND =/bin/vi/etc/sudoers
Jun 23 23:29:18: php001: user NOT in sudoers; TTY = pts/0; PWD =/home/php001;
USER = root; COMMAND =/usr/sbin/mongodo

6. Centralized log management

1) rsync + inotify or scheduled task + rsync, pushed to the log management server, 10.0.0.7 _ 20120309. sudo. log

2) syslog service for processing

[Root @ MySQL-A ~] # Echo "10.0.20.4 logserver">/etc/hosts

# Log server address

[Root @ MySQL-A ~] # Echo "*. info @ logserver">/etc/syslog. conf <<=== suitable for pushing all logs

3) log collection solutions: scribe, Flume, logstash, and stom

-------------------------------------- Split line --------------------------------------

Configure the rsyslog client on CentOS to remotely record logs.

Deploy a log server using Rsyslog + LogAnalyzer + MySQL in CentOS 6.3

Log servers using rsyslog mysql and logAnalyzer

Rsyslog configuration and usage tutorial

RHEL5.4 deployment of central log server rsyslog + loganalyzer

-------------------------------------- Split line --------------------------------------

Rsyslog details: click here
Rsyslog: click here

This article permanently updates the link address: