Linux practice project-sudo log audit and linux practice sudo log

Linux practice project-sudo log audit and linux practice sudo log

Practical Linux project -- sudo log audit

 

Because sudo permission management is enabled in Enterprise Internal permission management, there are still some risk factors. After all, the technical level and operation habits of O & M and development personnel are different, it may also cause misoperations due to temporary errors, thus affecting system operation.

 

Therefore, the sudo log audit feature is enabled to facilitate management and subsequent maintenance, but does not record the operations of other commands.

 

1. The log audit solution in the production environment is as follows:

1. All syslog operation logs are audited. This method has a large amount of information and cannot be viewed.

2. Use sudo logs with the syslog service for log auditing

3. bastion host log audit

4. Install the bash monitor and record user operations

 

Ii. Configure sudo log audit

1. Install the sudo and syslog services.

[Root @ Centos ~] # Rpm-qa | grep sudo

Sudo-1.8.6p3-24.el6.x86_64

[Root @ Centos ~] # Rpm-qa | grep rsyslog

Rsyslog-5.8.10-10.el6_6.x86_64

Check whether two services are installed. If not, run the following command to install them:

Yum install sudo-y

Yum install rsyslog-y

Note: Centos 5.x is syslog, and Centos 6.x is rsyslog.

 

2. Configure the service

Create a log storage directory

[Root @ Centos ~] # Mkdir-p/var/log/

View server environment

[Root @ Centos ~] # Cat/etc/redhat-release

CentOS release 6.5 (Final)

[Root @ Centos ~] # Uname-r

2.6.32-431. el6.x86 _ 64

 

The server environment is centos 6.5, so the syslog configuration file is/etc/rsyslog. conf.

[Root @ Centos ~] # Echo "local2.debug/var/log/sudo. log">/etc/rsyslog. conf

View configurations

[Root @ Centos ~] # Tail-1/etc/rsyslog. conf

Local2.debug/var/log/sudo. log

 

If the server is centos 5.x, the syslog configuration file is/etc/syslog. conf.

 

[Root @ Centos ~] # Echo "local2.debug/var/log/sudo. log">/etc/syslog. conf

[Root @ Centos ~] # Echo "Defaults logfile =/var/log/sudo. log">/etc/sudoers

View configurations

[Root @ Centos ~] # Tail-1/etc/syslog. conf

Local2.debug/var/log/sudo. log

 

3. Configure/etc/sudoers

[Root @ Centos ~] # Echo "Defaults logfile =/var/log/sudo. log">/etc/sudoers

[Root @ Centos ~] # Tail-1/etc/sudoers

Defaults logfile =/var/log/sudo. log

 

4. Restart the service

[Root @ Centos ~] #/Etc/init. d/rsyslog restart

Shutting down system logger: [OK]

Starting system logger: [OK]

 

Iii. Test the log audit results

[Root @ Centos ~] # Su-cjkaifa001

[Cjkaifa001 @ Centos ~] $ Pwd

/Home/cjkaifa001

[Cjkaifa001 @ Centos ~] $ Touch 123.txt

[Cjkaifa001 @ Centos ~] $ Sudo ls

123. txt

[Cjkaifa001 @ Centos ~] $ Cat/var/log/sudo. log

Cat:/var/log/sudo. log: Permission denied

The system prompts that the permission is insufficient by using the cat command.

[Cjkaifa001 @ Centos ~] $ Sudo cat/var/log/sudo. log can be viewed after sudo elevation of permission

Sep 11 02:41:50: cjkaifa001: TTY = pts/1; PWD =/home/cjkaifa001; USER = root;

COMMAND =/bin/ls

Sep 11 02:44:57: cjkaifa001: TTY = pts/1; PWD =/home/cjkaifa001; USER = root;

COMMAND =/bin/cat/var/log/sudo. log

After testing, the operation logs of the user using sudo can be recorded normally. Other commands are not recorded.

 

[Root @ Centos ~] # Rm-rf/var/log/sudo. log

[Root @ Centos ~] #/Etc/init. d/rsyslog stop

Shutting down system logger: [OK]

[Root @ Centos ~] # Su-cjkaifa001

[Cjkaifa001 @ Centos ~] $ Cd/

[Cjkaifa001 @ Centos/] $ pwd

/

[Cjkaifa001 @ Centos/] $ ls/root

Ls: cannot open directory/root: Permission denied

[Cjkaifa001 @ Centos/] $ sudo ls/root

[Sudo] password for cjkaifa001:

Anaconda-ks.cfg dead. letter Downloads install. log. syslog Public Videos

Backup Desktop etc.tar.gz. 2016 Music tar.gz. 20160820

Data Documents install. log Pictures Templates

[Cjkaifa001 @ Centos/] $ cat/var/log/sudo. log

Cat:/var/log/sudo. log: Permission denied

[Cjkaifa001 @ Centos/] $ sudo cat/var/log/sudo. log

[Sudo] password for cjkaifa001:

Sep 11 03:24:39: cjkaifa001: TTY = pts/1; PWD =/; USER = root; COMMAND =/bin/ls

/Root

Sep 11 03:30:57: cjkaifa001: TTY = pts/1; PWD =/; USER = root; COMMAND =/bin/cat

/Var/log/sudo. log

After testing, the rsyslog service is stopped directly, and only/etc/sudoers can be configured to record user sudo Elevation of Privilege operation logs.

 

Note: In the actual production environment, the log audit record results can be periodically pushed to the specified log backup server. The detailed operation process (how to push log records) will be introduced later)

If you need to repost it, please indicate the original source. For more information, you can scan the QR code below to follow the public account.

Long press the QR code to follow the public account-you have a smile