Linux Log Audit Project case scenario (production Environment Log Audit Project solution)

The so-called log audit, is to record all systems and related user behavior information, and can automatically analyze, process, display (including text or video)

Recommended method: Sudo with syslog service, log audit (less information, good results)

1. Install sudo command, syslog service (centos6.4 or above for Rsyslog service)

[[Email protected]_back ~] #rpm-qa "sudo|syslog" query system is installed sudo, syslog program

Rsyslog-5.8.10-8.el6.x86_64

Sudo-1.8.6p3-15.el6.x86_64

[[Email protected]_back ~] #rpm-qa|egrep "Sudo|syslog"

Rsyslog-5.8.10-8.el6.x86_64

Sudo-1.8.6p3-15.el6.x86_64

If not installed, install with Yum

2. Configure/etc/sudoers

Add Configuration "Defaults Logfile=/var/log/sudo.log" to/etc/sudoers, Note: Quotation marks are not included

[Email protected]_back ~] #echo "Defaults logfile=/var/log/sudo.log" >>/etc/sudoers

[Email protected]_back ~] #tail/etc/sudoers

# # Allows members of the users group to mount and unmount the

# # CDROM as Root

#%users All=/sbin/mount/mnt/cdrom,/sbin/umount/mnt/cdrom

# # Allows members of the users group to shutdown this system

#%users Localhost=/sbin/shutdown-h Now

# # Read Drop-in Files from/etc/sudoers.d (the # here does not mean a comment)

#includedir/ETC/SUDOERS.D

Defaults Logfile=/var/log/sudo.log

[[Email Protected]_back ~] #tail-1/etc/sudoers

Defaults Logfile=/var/log/sudo.log

[[Email Protected]_back ~] #visudo-C check sudoers file Syntax

/etc/sudoers:parsed OK

3. Configuring the System Log/etc/syslog.conf

Add configuration Local2.debug to/etc/syslog.conf (Centos5.8)

[Email protected]_back ~] #echo "Local2.debug/var/log/sudo.log" >>/etc/syslog.conf

[[Email Protected]_back ~] #tail-1/etc/syslog.conf

Local2.debug/var/log/sudo.log

Tip: If the Centos6.4 path is/etc/rsyslog.conf

[Email protected]_back ~] #echo "Local2.debug/var/log/sudo.log" >>/etc/rsyslog.conf

[[Email Protected]_back ~] #tail-1/etc/rsyslog.conf

Local2.debug/var/log/sudo.log

4. Restart the syslog or Rsyslog kernel logger

/etc/init.d/syslog Restart (Centos5.8)

/etc/init.d/rsyslog Restart (Centos6.4)

[Email protected]_back ~]#/etc/init.d/rsyslog Restart

Shutting down system logger: [OK]

Starting system logger: [OK]

[Email protected]_back ~] #ll/var/log/sudo.log

-RW-------1 root root 0 June 23:17/var/log/sudo.log

5. Test sudo log audit configuration results

[Email protected]_back ~] #whoami

Root

[Email protected]_back ~] #su-ci001

-bash:warning:setlocale:lc_ctype:cannot change locale (en): No such file or directory

-bash:warning:setlocale:lc_collate:cannot change locale (en): No such file or directory

-bash:warning:setlocale:lc_messages:cannot change locale (en): No such file or directory

-bash:warning:setlocale:lc_numeric:cannot change locale (en): No such file or directory

-bash:warning:setlocale:lc_time:cannot change locale (en): No such file or directory

Welcome to Oldboy Linux Training FROM/ETC/PROFILE.D

[Email protected]_back ~]$ sudo-l

[sudo] password for ci001:

Sorry, user ci001 may not run sudo on nginx_back.

[Email protected]_back ~]$ sudo useradd dddd

[sudo] password for ci001:

CI001 is not in the sudoers file. This incident would be reported.

[Email protected]_back ~]$ Logout

[Email protected]_back ~] #ll/var/log/sudo.log

-RW-------1 root root 232 June 23:21/var/log/sudo.log

[Email protected]_back ~] #cat/var/log/sudo.log

June 23:20:44:ci001:command not allowed; tty=pts/0; pwd=/home/ci001;

User=root; Command=list

June 23:21:17:ci001:user not in sudoers; tty=pts/0; pwd=/home/ci001;

User=root; Command=/usr/sbin/useradd dddd

[Email protected]_back ~] #su-php001

-bash:warning:setlocale:lc_ctype:cannot change locale (en): No such file or directory

-bash:warning:setlocale:lc_collate:cannot change locale (en): No such file or directory

-bash:warning:setlocale:lc_messages:cannot change locale (en): No such file or directory

-bash:warning:setlocale:lc_numeric:cannot change locale (en): No such file or directory

-bash:warning:setlocale:lc_time:cannot change locale (en): No such file or directory

Welcome to Oldboy Linux Training FROM/ETC/PROFILE.D

[Email protected]_back ~]$ WhoAmI

php001

[Email protected]_back ~]$ sudo su-

[sudo] password for php001:

Sorry, try again.

[sudo] password for php001:

PHP001 is not in the sudoers file. This incident would be reported.

[Email protected]_back ~]$ sudo echo "php001 all= (All) Nopasswd:all" >>/etc/sudoers

-bash:/etc/sudoers:permission denied

[Email protected]_back ~]$ sudo vi/etc/sudoers

[sudo] password for php001:

PHP001 is not in the sudoers file. This incident would be reported.

[Email protected]_back ~]$ sudo visudo

[sudo] password for php001:

PHP001 is not in the sudoers file. This incident would be reported.

[Email protected]_back ~]$ Logout

[Email protected]_back ~] #cat/var/log/sudo.log

June 23:20:44:ci001:command not allowed; tty=pts/0; pwd=/home/ci001;

User=root; Command=list

June 23:21:17:ci001:user not in sudoers; tty=pts/0; pwd=/home/ci001;

User=root; Command=/usr/sbin/useradd dddd

June 23:26:56:php001:user not in sudoers; tty=pts/0; pwd=/home/php001;

User=root; COMMAND=/BIN/SU-

June 23:28:55:php001:user not in sudoers; tty=pts/0; pwd=/home/php001;

User=root; Command=/bin/vi/etc/sudoers

June 23:29:18:php001:user not in sudoers; tty=pts/0; pwd=/home/php001;

User=root; Command=/usr/sbin/visudo

6. Log Centralized Management

1) rsync+inotify or timed task +rsync, push to log Management Server, 10.0.0.7_20120309.sudo.log

2) syslog service to handle

[Email protected]~] #echo "10.0.2.164 logserver" >>/etc/hosts

#日志服务器地址

[[Email protected]~] #echo "*.info @logserver" >>/etc/syslog.conf<<==== for all logs pushed away

3) Log Collection solution Scribe, Flume, Logstash, Stom

This article is from the "Lanzhou Linux operation and Maintenance" blog, please be sure to keep this source http://linuxzkq.blog.51cto.com/9379412/1664795

Linux Log Audit Project case scenario (production Environment Log Audit Project solution)