Linux Ops shared root account permissions Audit
http://mp.weixin.qq.com/s?__biz=MzA3OTgyMDcwNg==&mid=2650626177&idx=1&sn= 8269a9debb9da7bde1765bce284e8b6e&chksm= 87a45a4cb0d3d35ab1d3a8ee522ea01a527db6f287e2c63bf577f16e8b0131b28d7e0aa1c324&mpshare=1&scene=23& Srcid=110447eedck6iflsskqfmryo#rd
2016-11-04 Marco Linux operationsFirst, the application scenario in small and medium enterprises, the company's different operations and maintenance personnel are basically the root account of the server login management, the lack of account authority audit system. No problem OK, out of the question, it is difficult to find the source. Here, how to use the Compile bash to enable different clients to use the root login server to record their operations, and can be combined with the Elk Log Analysis system to collect logging operations Log II, Environment server: CentOS 6.5, development tools, With key authentication, SElinux shuts down. Client: Generate a key pair, used to log on to the server (2 sets) three, build deployment server operations: 192.168.30.721, download compile bash[[email protected] ~]# wget http://ftp.gnu.org/gnu/bash/ Bash-4.1.tar.gz
[Email protected] ~]# tar xvf bash-4.1.tar.gz
[Email protected] ~]# CD bash-4.1
2, first modify the next config-top.c file, about 94 lines, 104 lines, because the C language annotation is/**/, so do not delete the wrong. Modified as follows: [[email protected] bash-4.1]# vim config-top.c
#define SSH_SOURCE_BASHRC
#define Syslog_history
3 Modify the next bashhist.c file so that the commands on the terminal are logged to the system messages, and in the specified format. And pass in the obtained variable. The revised content is as follows: [[email protected] bash-4.1]# vim bashhist.c
#... Omit partial paragraphs
void
Bash_syslog_history (line)
const char *line;
{
Char Trunc[syslog_maxlen];
const char *p;
p = getenv ("Name_of_key");
if (strlen (line) < Syslog_maxlen)
Syslog (syslog_facility| Syslog_level, "history:pid=%d ppid=%d sid=%d user=%s user=%s cmd=%s", Getpid (), Getppid (), GetSID (Getpid ()), Current_us Er.user_name, p, line);
Else
{
strncpy (trunc, line, Syslog_maxlen);
Trunc[syslog_maxlen-1] = ";
Syslog (syslog_facility| Syslog_level, "History (truncated): pid=%d ppid=%d sid=%d user=%s user=%s cmd=%s", Getpid (), Getppid (), GetSID (Getpid ()), Current_user.user_name, p, trunc);
}
}
4 Configure the installation path, compile the installation, compile to the/usr/local/directory [[email protected] bash-4.1]#./configure--prefix=/usr/local/bash_new
[[email protected] bash-4.1]# make && make install
...
if test "bash" = "gettext-tools"; Then \
/bin/sh/root/bash-4.1/./support/mkinstalldirs/usr/local/bash_new/share/gettext/po; \
For file in Makefile.in.in remove-potcdate.sin quot.sed boldquot.sed [email protected] [email protected] insert-header.si n Rules-quot makevars.template; Do \
/usr/bin/install-c-M 644./$file \
/usr/local/bash_new/share/gettext/po/$file; \
Done \
for file in Makevars; Do \
Rm-f/usr/local/bash_new/share/gettext/po/$file; \
Done \
else \
: ; \
Fi
MAKE[1]: Leaving directory '/root/bash-4.1/po '
5. After the compilation is complete, append the new bash to/etc/shells and modify the root user's login shell environment for the newly compiled Shell[[email protected] bash-4.1]# echo "/usr/local/bash_ New/bin/bash ">>/etc/shells
[Email protected] bash-4.1]# Cat/etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/bin/dash
/usr/local/bash_new/bin/bash
[Email protected] bash-4.1]# VIM/ETC/PASSWD
Root:x:0:0:root:/root:/usr/local/bash_new/bin/bash
6, log off the current root user, re-login, check the/var/log/messages, as follows, you can see the record Operation command
Iv. SSH client generates key Part 1 on CLIENT1 (192.168.30.99) operation, user Zhangsan[[email protected] ~]# ssh-keygen-t rsa-c "[Email protected]"
Generating public/private RSA key pair.
Enter file in which to save the key (/ROOT/.SSH/ID_RSA):
Enter passphrase (empty for no passphrase):
Enter same Passphrase again:
Your identification has been saved In/root/.ssh/id_rsa.
Your public key has been saved in/root/.ssh/id_rsa.pub.
The key fingerprint is:
c8:bd:5d:3b:a5:d9:6d:09:b6:5f:db:55:1d:43:96:3d [email protected]
The key ' s Randomart image is:
+--[RSA 2048]----+
| oo|
| oe.|
| o.|
| . o +|
| o S. O. o|
| O.. *o.o|
| . . =...=|
| ...=|
| o.|
+-----------------+
The-c comment (plus this is a key point to finally identify the server's visitors) 2. Upload the public key to the. ssh/authorized_keys file on the server. The Ssh-copy-id command automatically creates a. ssh/authorized_keys file on the server, even if the directory does not exist and automatically assigns 600 permissions. [Email protected] ~]# ssh-copy-id-i/root/.ssh/id_rsa.pub [email protected]
[email protected] ' s password:
Now try logging to the machine, with "ssh" [email protected] ' ", and check in:
. Ssh/authorized_keys
To make sure we haven ' t added extra keys so you weren ' t expecting.
3, Client 2 (192.168.30.71) on the same operation, the user Lisi[[email protected] ~]# ssh-keygen-t rsa-c "[Email protected]"
Generating public/private RSA key pair.
Enter file in which to save the key (/ROOT/.SSH/ID_RSA):
Enter passphrase (empty for no passphrase):
Enter same Passphrase again:
Your identification has been saved In/root/.ssh/id_rsa.
Your public key has been saved in/root/.ssh/id_rsa.pub.
The key fingerprint is:
8f:56:66:91:0c:6e:86:3b:90:19:42:9c:ab:9e:00:f6 [email protected]
The key ' s Randomart image is:
+--[RSA 2048]----+
| Oo.. . |
| O. + O. |
| .+ . + + |
|... . + . |
|o. o S + |
|o E. * |
|o. O. |
| O. |
| |
+-----------------+
4, upload the public key to the server [[email protected] ~]# ssh-copy-id-i/root/.ssh/id_rsa.pub [email protected]
The authenticity of host ' 192.168.30.72 (192.168.30.72) ' can ' t be established.
RSA key fingerprint is 8f:a7:1b:8d:e4:92:ad:ae:ea:1b:fb:67:0b:0b:7c:ac.
Is you sure want to continue connecting (yes/no)? Yes
warning:permanently added ' 192.168.30.72 ' (RSA) to the list of known hosts.
[email protected] ' s password:
Now try logging to the machine, with "ssh" [email protected] ' ", and check in:
. Ssh/authorized_keys
To make sure we haven ' t added extra keys so you weren ' t expecting.
5. Now go to the server to verify the file [[email protected] ~]# cat ~/.ssh/authorized_keys
Ssh-rsa aaaab3nzac1yc2eaaaabiwaaaqea6fm+bpwep3luauvojmtb55uguzvvmesmhcw4rnz/c2e+ kgxayuxuamebbmcxqqj7otaqvcq0pwja58wreyz7etiugatvosbmsbptpxtebml40kdn4gdmxq9ut/ jnq9gszuqyjlmljgwjks9s4xui2cz7oiytclrsunkuoa1u6+ luijwju9z7ya5oxh5fmmjqfnytaeihrlt4s8ru5s00c0jiqcrk3rflhync0ir02mxmh7d9bq7l04heact/ y1ebs3ewinx8r0y6oridjjpcwxnm1ssfmkvlabq/b+ufdjeop7y2satl3qxaip7nxdnhoj4+xar0zcoyi2a9orgguq== [email protected]
Ssh-rsa Aaaab3nzac1yc2eaaaabiwaaaqeaupgsgxowpqfzovkhxyqn2bjmiayafrdks6wam3xgpmyrjzbifx14knr4cbrqtbuk8yonzpydxg589blfmqf17supcneqz ejcner+yzdu+hyg/jan4dcvttbqutbstyuhshir0srruj9kehngu9adrok8nulmui/9ej0njzsbq2npvncf0yhgad/on5vsbyvlpvat/ cg3mucjg5mgtu59qgahylkxkfpvc0/trz4eamx/1v0dscxx9oydbpn4yklbaoaas4kf6qedrwrh0ssywtwoo/ cdyflxkgwdbptpfwz63sm7wy7batcdxxu/qdkyvp+4odfatmxxzly2bt5qmq== [email protected]
6, now the above two clients have been able to free the key to the login, now go to the server configuration, and create a script five, configure server 1, the log directory to create a keys file, used to log in when the public key, and then check it out judgment [[email Protected]pen1 ~]# Touch/var/log/keys
2, create the detection script, the content is as follows: [[email protected] ~]# cat/etc/checkuser.sh
#!/bin/bash
#conding: Utf-8
Pid= $PPID
#在自己home目录得到所有的key, if/var/log/keys not, add in
While Read line
Do
grep "$line"/var/log/keys >/dev/null | | echo "$line" >>/var/log/keys
Done < $HOME/.ssh/authorized_keys
#得到每个key的指纹
Cat/var/log/keys | While Read line
Do
name=$ (echo $LINE | awk ' {print $} ')
Echo $LINE >/tmp/keys.log. $pid
key=$ (ssh-keygen-l-f/tmp/keys.log. $pid | awk ' {print $} ')
grep "$KEY $NAME"/var/log/ssh_key_fing >/dev/null | | echo "$KEY $NAME" >>/var/log/ssh_key_fing
Done
#如果是root用户, the secure file validates the fingerprint with the ppid number.
if [$UID = = 0]
Then
Ppid= $PPID
Else
#如果不是root用户, verify that the fingerprint is a different process number
Ppid= '/bin/ps-ef | grep $PPID |grep ' sshd: ' |awk ' {print $} '
Fi
#得到RSA_KEY和NAME_OF_KEY, used to bash4.1 get a history record
rsa_key= '/bin/egrep ' Found matching RSA KEY '/var/log/secure | /bin/egrep "$ppid" | /bin/awk ' {print $NF} ' | Tail-1 '
If [-N ' $RSA _key "];then
Name_of_key= '/bin/egrep "$RSA _key"/var/log/ssh_key_fing | /bin/awk ' {print $NF} '
Fi
#把NAME_OF_KEY设置为只读
ReadOnly Name_of_key
Export Name_of_key
/bin/rm/tmp/keys.log. $pid
3, configure profile, add a line at the end of the file, as follows: [[email protected] ~]# echo "Test-f/etc/checkuser.sh &&. /etc/checkuser.sh ">>/etc/profile
4. Add the following at the end of/ETC/BASHRC: [[email protected] ~]# TAIL-1F/ETC/BASHRC
Test-z "$BASH _execution_string" | | {test-f/etc/checkuser.sh &&/etc/checkuser.sh logger-t-bash-s "History $SSH _client user= $NAME _of_key cmd= $BASH _execution_string ">/dev/null 2>&1;}
5, modify the sshd configuration file, turn on DEBUG mode, and restart the sshd service [[email protected] ~]# sed-i ' s/#LogLevel info/loglevel debug/g '/etc/ssh/sshd_config
[[Email protected] ~]# service sshd restart
stopping sshd: [OK]
Starting sshd: [OK]
Vi. Verification 1, login on CLIENT1, and delete files (Zhangsan)
2, log on client2, delete files, and execute a command to restart the service (LISI)
3, go to the server to view the next messages log, the content is as follows
Through, you can see, not through the user's client through the public key login way, identify who operated what, when the operation of the seven, the end through this way, greatly solved the multi-root user login operation, can not audit the problem. And can be combined with log forwarding, the system log forward to other servers, even if the host is hacked, can also be specific to review the time of landing and what actions have been done.
Linux Ops shared root account permissions Audit