The so-called log audit, is to record all systems and related user behavior information, and can automatically analyze, process, display (including text or video)
Recommended method: Sudo with syslog service, log audit (less information, good results)
1. Install sudo command, syslog service (centos6.4 or above for Rsyslog service)
[[Email protected]_back ~] #rpm-qa "sudo|syslog" query system is installed sudo, syslog program
Rsyslog-5.8.10-8.el6.x86_64
Sudo-1.8.6p3-15.el6.x86_64
[[Email protected]_back ~] #rpm-qa|egrep "Sudo|syslog"
Rsyslog-5.8.10-8.el6.x86_64
Sudo-1.8.6p3-15.el6.x86_64
If not installed, install with Yum
2. Configure/etc/sudoers
Add Configuration "Defaults Logfile=/var/log/sudo.log" to/etc/sudoers, Note: Quotation marks are not included
[Email protected]_back ~] #echo "Defaults logfile=/var/log/sudo.log" >>/etc/sudoers
[Email protected]_back ~] #tail/etc/sudoers
# # Allows members of the users group to mount and unmount the
# # CDROM as Root
#%users All=/sbin/mount/mnt/cdrom,/sbin/umount/mnt/cdrom
# # Allows members of the users group to shutdown this system
#%users Localhost=/sbin/shutdown-h Now
# # Read Drop-in Files from/etc/sudoers.d (the # here does not mean a comment)
#includedir/ETC/SUDOERS.D
Defaults Logfile=/var/log/sudo.log
[[Email Protected]_back ~] #tail-1/etc/sudoers
Defaults Logfile=/var/log/sudo.log
[[Email Protected]_back ~] #visudo-C check sudoers file Syntax
/etc/sudoers:parsed OK
3. Configuring the System Log/etc/syslog.conf
Add configuration Local2.debug to/etc/syslog.conf (Centos5.8)
[Email protected]_back ~] #echo "Local2.debug/var/log/sudo.log" >>/etc/syslog.conf
[[Email Protected]_back ~] #tail-1/etc/syslog.conf
Local2.debug/var/log/sudo.log
Tip: If the Centos6.4 path is/etc/rsyslog.conf
[Email protected]_back ~] #echo "Local2.debug/var/log/sudo.log" >>/etc/rsyslog.conf
[[Email Protected]_back ~] #tail-1/etc/rsyslog.conf
Local2.debug/var/log/sudo.log
4. Restart the syslog or Rsyslog kernel logger
/etc/init.d/syslog Restart (Centos5.8)
/etc/init.d/rsyslog Restart (Centos6.4)
[Email protected]_back ~]#/etc/init.d/rsyslog Restart
Shutting down system logger: [OK]
Starting system logger: [OK]
[Email protected]_back ~] #ll/var/log/sudo.log
-RW-------1 root root 0 June 23:17/var/log/sudo.log
5. Test sudo log audit configuration results
[Email protected]_back ~] #whoami
Root
[Email protected]_back ~] #su-ci001
-bash:warning:setlocale:lc_ctype:cannot change locale (en): No such file or directory
-bash:warning:setlocale:lc_collate:cannot change locale (en): No such file or directory
-bash:warning:setlocale:lc_messages:cannot change locale (en): No such file or directory
-bash:warning:setlocale:lc_numeric:cannot change locale (en): No such file or directory
-bash:warning:setlocale:lc_time:cannot change locale (en): No such file or directory
Welcome to Oldboy Linux Training FROM/ETC/PROFILE.D
[Email protected]_back ~]$ sudo-l
[sudo] password for ci001:
Sorry, user ci001 may not run sudo on nginx_back.
[Email protected]_back ~]$ sudo useradd dddd
[sudo] password for ci001:
CI001 is not in the sudoers file. This incident would be reported.
[Email protected]_back ~]$ Logout
[Email protected]_back ~] #ll/var/log/sudo.log
-RW-------1 root root 232 June 23:21/var/log/sudo.log
[Email protected]_back ~] #cat/var/log/sudo.log
June 23:20:44:ci001:command not allowed; tty=pts/0; pwd=/home/ci001;
User=root; Command=list
June 23:21:17:ci001:user not in sudoers; tty=pts/0; pwd=/home/ci001;
User=root; Command=/usr/sbin/useradd dddd
[Email protected]_back ~] #su-php001
-bash:warning:setlocale:lc_ctype:cannot change locale (en): No such file or directory
-bash:warning:setlocale:lc_collate:cannot change locale (en): No such file or directory
-bash:warning:setlocale:lc_messages:cannot change locale (en): No such file or directory
-bash:warning:setlocale:lc_numeric:cannot change locale (en): No such file or directory
-bash:warning:setlocale:lc_time:cannot change locale (en): No such file or directory
Welcome to Oldboy Linux Training FROM/ETC/PROFILE.D
[Email protected]_back ~]$ WhoAmI
php001
[Email protected]_back ~]$ sudo su-
[sudo] password for php001:
Sorry, try again.
[sudo] password for php001:
PHP001 is not in the sudoers file. This incident would be reported.
[Email protected]_back ~]$ sudo echo "php001 all= (All) Nopasswd:all" >>/etc/sudoers
-bash:/etc/sudoers:permission denied
[Email protected]_back ~]$ sudo vi/etc/sudoers
[sudo] password for php001:
PHP001 is not in the sudoers file. This incident would be reported.
[Email protected]_back ~]$ sudo visudo
[sudo] password for php001:
PHP001 is not in the sudoers file. This incident would be reported.
[Email protected]_back ~]$ Logout
[Email protected]_back ~] #cat/var/log/sudo.log
June 23:20:44:ci001:command not allowed; tty=pts/0; pwd=/home/ci001;
User=root; Command=list
June 23:21:17:ci001:user not in sudoers; tty=pts/0; pwd=/home/ci001;
User=root; Command=/usr/sbin/useradd dddd
June 23:26:56:php001:user not in sudoers; tty=pts/0; pwd=/home/php001;
User=root; COMMAND=/BIN/SU-
June 23:28:55:php001:user not in sudoers; tty=pts/0; pwd=/home/php001;
User=root; Command=/bin/vi/etc/sudoers
June 23:29:18:php001:user not in sudoers; tty=pts/0; pwd=/home/php001;
User=root; Command=/usr/sbin/visudo
6. Log Centralized Management
1) rsync+inotify or timed task +rsync, push to log Management Server, 10.0.0.7_20120309.sudo.log
2) syslog service to handle
[Email protected]~] #echo "10.0.2.164 logserver" >>/etc/hosts
#日志服务器地址
[[Email protected]~] #echo "*.info @logserver" >>/etc/syslog.conf<<==== for all logs pushed away
3) Log Collection solution Scribe, Flume, Logstash, Stom
This article is from the "Lanzhou Linux operation and Maintenance" blog, please be sure to keep this source http://linuxzkq.blog.51cto.com/9379412/1664795
Linux Log Audit Project case scenario (production Environment Log Audit Project solution)