Linux Ops shared root account permissions Audit

First, the application scenario
In small and medium enterprises, the company's different operations and maintenance personnel are basically the root account of the server login management, lack of account authority audit system. No problem OK, out of the question, it is difficult to find the source.
Here, how to use the Compile bash to enable different clients to log in using root server, log their operations, and can be combined with the Elk Log Analysis System, to collect logging operations log
Second, the environment
Server: CentOS 6.5, development tools, use key authentication, SElinux off.
Client: Generate a key pair for logging on to the server (2 units)
Iii. Build and deploy
Server operation: 192.168.30.72
1. Download and compile Bash
[Email protected] ~]# wget http://ftp.www.11.qixoo.com/gnu/bash/bash-4.1.tar.gz
[Email protected] ~]# tar xvf bash-4.1.tar.gz
[Email protected] ~]# CD bash-4.1

2, first modify the next config-top.c file, about 94 lines, 104 lines, because the C language annotation is/**/, so do not delete the wrong. Modify the following:
[Email protected] bash-4.1]# vim config-top.c
#define SSH_SOURCE_BASHRC
#define Syslog_history

3 modifies the next bashhist.c file to log commands on the terminal to the system messages, and in the specified format. And pass in the obtained variable. The modified content is as follows:
[[email protected] bash-4.1]# vim bashhist.c
# ... Omit partial paragraph
void
Bash_syslog_history (line)
const char *line;
{
Char trunc[syslog_maxlen];
Const char *p;
P = getenv ("Name_of_key");
if (strlen (line) < Syslog_maxlen)
SYSLOG (syslog_facility| Syslog_level, "history:pid=%d ppid=%d sid=%d user=%s user=%s cmd=%s", Getpid (), Getppid (), GetSID (Getpid ()), Current_use R.user_name, p, line);
Else
{
strncpy (trunc, line, Syslog_maxlen);
Trunc[syslog_maxlen-1] = ";
SYSLOG (syslog_facility| Syslog_level, "History (truncated): pid=%d ppid=%d sid=%d user=%s user=%s cmd=%s", Getpid (), Getppid (), GetSID (Getpid ()), Current_user.user_name, p, trunc);
}
}

4 Configure the installation path, compile the installation, compile to the/usr/local/directory
[[email protected] bash-4.1]#./configure--prefix=/usr/local/bash_new
[[email protected] bash-4.1]# make && make install
...
if test "bash" = "gettext-tools"; then \
/bin/sh/root/bash-4.1/./support/mkinstalldirs/usr/local/bash_new/ Share/gettext/po; \
for file in Makefile.in.in remove-potcdate.sin quot.sed boldquot.sed [email protected] [email protected ] Insert-header.sin Rules-quot makevars.template; Do \
/usr/bin/install-c-M 644./$file \
/usr/local/bash_new/share/gettext/po/$file; \
done; \
for file I n Makevars; Do \
rm-f/usr/local/bash_new/share/gettext/po/$file, \
Done, \
else \
:; \
Fi
Make[1]: leaving D Irectory '/root/bash-4.1/po '

5. After compiling, append the new bash to/etc/shells and modify the root user's login shell environment for the newly compiled shell.
[Email protected] bash-4.1]# echo "/usr/local/bash_new/bin/bash" >>/etc/shells
[Email protected] bash-4.1]# Cat/etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/bin/dash
/usr/local/bash_new/bin/bash

[Email protected] bash-4.1]# VIM/ETC/PASSWD
Root:x:0:0:root:/root:/usr/local/bash_new/bin/bash

6, log off the current root user, re-login, check the/var/log/messages, as follows, you can see the record Operation command
Linux Ops shared root account permissions Audit

Iv. SSH Client generation key section
1 on CLIENT1 (192.168.30.99) operation, user Zhangsan
[[email protected] ~]# ssh-keygen-t rsa-c "[ Email protected] "
Generating public/private RSA key pair.
Enter file in which to save the key (/ROOT/.SSH/ID_RSA):
Enter passphrase (empty for no passphrase):
Enter Same Pass Phrase again:
Your identification has been saved In/root/.ssh/id_rsa.
Your public key has been saved in/root/.ssh/id_rsa.pub.
The key fingerprint is:
C8:bd:5d:3b:a5:d9:6d:09:b6:5f:db:55:1d:43:96:3d [email protected]
the key ' s Randomart image is:
+--[RSA 2048]----+
| oo|
| oe.|
| o.|
|. O +|
| o S. O. o|
| o.. *o.o|
|.. =...=|
| ... =|
| o.|
+-----------------+

-C Comment (plus this is also a key point for the final identification of server visitors)
2. Upload the public key to the. ssh/authorized_keys file on the server. The Ssh-copy-id command automatically creates a. ssh/authorized_keys file on the server, even if the directory does not exist and automatically assigns 600 permissions.
[Email protected] ~]# ssh-copy-id-i/root/.ssh/id_rsa.pub [email protected]
[email protected] ' s password:
Now try logging to the machine, with "ssh" [email protected] ' ", and check in:

. Ssh/authorized_keys

To make sure we haven ' t added extra keys so you weren ' t expecting.

3, Client 2 (192.168.30.71) on the same operation, user Lisi
[[email protected] ~]# ssh-keygen-t rsa-c "[email protected] "
Generating public/private RSA key pair.
enter file in which to save the key (/ROOT/.SSH/ID_RSA):
Enter passphrase (empty for no passphrase):
Enter same Passphrase again:
Your identification has been saved In/root/.ssh/id_rsa.
Your public key has been saved in/root/.ssh/id_rsa.pub.
The key fingerprint is:
8f:56:66:91:0c:6e:86:3b:90:19:42:9c:ab:9e:00:f6 [email protected]
the key ' s Randomart image is:
+--[RSA 2048]----+
| oo ... | |
| o + O. |
|. +. + + |
| ... . + . |
|o. O S + |
|o E. * |
|o. O. |
| o. |
| |
+-----------------+

4. Upload the public key to the server
[Email protected] ~]# ssh-copy-id-i/root/.ssh/id_rsa.pub [email protected]
The authenticity of host ' 192.168.30.72 (192.168.30.72) ' can ' t be established.
RSA key fingerprint is 8f:a7:1b:8d:e4:92:ad:ae:ea:1b:fb:67:0b:0b:7c:ac.
Is you sure want to continue connecting (yes/no)? Yes
warning:permanently added ' 192.168.30.72 ' (RSA) to the list of known hosts.
[email protected] ' s password:
Now try logging to the machine, with "ssh" [email protected] ' ", and check in:

. Ssh/authorized_keys

To make sure we haven ' t added extra keys so you weren ' t expecting.

5. Now go to the server to verify the file
[[email protected] ~]# cat ~/.ssh/authorized_keys
Ssh-rsa Aaaab3nzac1yc2eaaaabiwaaaqea6fm+bpwep3luauvojmtb55uguzvvmesmhcw4rnz/c2e+ kgxayuxuamebbmcxqqj7otaqvcq0pwja58wreyz7etiugatvosbmsbptpxtebml40kdn4gdmxq9ut/ jnq9gszuqyjlmljgwjks9s4xui2cz7oiytclrsunkuoa1u6+ luijwju9z7ya5oxh5fmmjqfnytaeihrlt4s8ru5s00c0jiqcrk3rflhync0ir02mxmh7d9bq7l04heact/ y1ebs3ewinx8r0y6oridjjpcwxnm1ssfmkvlabq/b+ufdjeop7y2satl3qxaip7nxdnhoj4+xar0zcoyi2a9orgguq== [email  Protected]
Ssh-rsa Aaaab3nzac1yc2eaaaabiwaaaqeaupgsgxowpqfzovkhxyqn2bjmiayafrdks6wam3xgpmyrjzbifx14knr4cbrqtbuk8yonzpydxg589blfmqf17supcneqz ejcner+yzdu+hyg/jan4dcvttbqutbstyuhshir0srruj9kehngu9adrok8nulmui/9ej0njzsbq2npvncf0yhgad/on5vsbyvlpvat/ cg3mucjg5mgtu59qgahylkxkfpvc0/trz4eamx/1v0dscxx9oydbpn4yklbaoaas4kf6qedrwrh0ssywtwoo/ cdyflxkgwdbptpfwz63sm7wy7batcdxxu/qdkyvp+4odfatmxxzly2bt5qmq== [email protected]

6, now the above two clients have been able to free the key login, now go to the server configuration, and create a script
V. Configure the server
1, in the log directory to create a keys file, used to log in when the public key, and then to take out the judgment
[Email protected] ~]# Touch/var/log/keys

2, create the detection script, the content is as follows:
[Email protected] ~]# cat/etc/checkuser.sh
#!/bin/bash
#conding: Utf-8
Pid= $PPID
#在自己home目录得到所有的key, if/var/log/keys not, add in
While Read line
Do
grep "$line"/var/log/keys >/dev/null | | echo "$line" >>/var/log/keys
Done < $HOME/.ssh/authorized_keys
#得到每个key的指纹
Cat/var/log/keys | While Read line
Do
name=$ (echo $LINE | awk ' {print $} ')
Echo $LINE >/tmp/keys.log. $pid
key=$ (ssh-keygen-l-f/tmp/keys.log. $pid | awk ' {print $} ')
grep "$KEY $NAME"/var/log/ssh_key_fing >/dev/null | | echo "$KEY $NAME" >>/var/log/ssh_key_fing
Done
#如果是root用户, the secure file validates the fingerprint with the ppid number.
if [$UID = = 0]
Then
Ppid= $PPID
Else
#如果不是root用户, verify that the fingerprint is a different process number
Ppid= '/bin/ps-ef | grep $PPID |grep ' sshd: ' |awk ' {print $} '
Fi
#得到RSA_KEY和NAME_OF_KEY, used to bash4.1 get a history record
rsa_key= '/bin/egrep ' Found matching RSA KEY '/var/log/secure | /bin/egrep "$ppid" | /bin/awk ' {print $NF} ' | Tail-1 '
If [-N ' $RSA _key "];then
Name_of_key= '/bin/egrep "$RSA _key"/var/log/ssh_key_fing | /bin/awk ' {print $NF} '
Fi
#把NAME_OF_KEY设置为只读
ReadOnly Name_of_key
Export Name_of_key
/bin/rm/tmp/keys.log. $pid

3. Configure profile to add a line at the end of the file as follows:
[Email protected] ~]# echo "Test-f/etc/checkuser.sh &&. /etc/checkuser.sh ">>/etc/profile
4. Add the following at the end of the/ETC/BASHRC:
[Email protected] ~]# TAIL-1F/ETC/BASHRC
Test-z "$BASH _execution_string" | | {test-f/etc/checkuser.sh &&/etc/checkuser.sh logger-t-bash-s "History $SSH _client user= $NAME _of_key cmd= $BASH _execution_string ">/dev/null 2>&1;}

5. Modify the sshd configuration file, turn on debug mode, and restart the sshd service.
[Email protected] ~]# sed-i ' s/#LogLevel info/loglevel debug/g '/etc/ssh/sshd_config
[[Email protected] ~]# service sshd restart
stopping sshd: [OK]
Starting sshd: [OK]

VI. Verification
1. Log in on CLIENT1 and delete files (Zhangsan)

Linux Ops shared root account permissions Audit