Linux with different OPS personnel sharing root account Authority audit

First, why?

In small and medium enterprises, the company's different operations and maintenance personnel are basically the root account of the server login management, lack of account authority audit system. No problem OK, out of the question, it is difficult to find the source.

Here, how to use the Compile bash to enable different clients to log in using root server, log their operations, and can be combined with the Elk Log Analysis System, to collect logging operations log

Second, the environment

Server: CentOS 6.5, development tools, use key authentication, SElinux off.

Client: Generate a key pair for logging on to the server (2 units)

third, build the deployment (Server Operation 192.168.30.72)

3.1 Download Compile Bash

[Email protected] ~]# wget http://ftp.gnu.org/gnu/bash/bash-4.1.tar.gz[[email protected] ~]# tar xvf bash-4.1.tar.gz[[ Email protected] ~]# CD bash-4.1

3.2 First modify the next config-top.c file, about 94 lines, 104 lines, because the C language annotation is/**/, so do not delete the wrong. Modify the following:

[Email protected] bash-4.1]# vim config-top.c#define ssh_source_bashrc#define syslog_history

3.3 Modify the next bashhist.c file so that the commands on the terminal are logged to the system messages, and in the specified format. And pass in the obtained variable. The revised content is as follows:

[Email protected] bash-4.1]# vim bashhist.c# ... Omit partial paragraph voidbash_syslog_history (line)    const char *line;{  Char Trunc[syslog_maxlen];    const char *p;    p = getenv ("Name_of_key");  if (strlen (line) < Syslog_maxlen)    SYSLOG (syslog_facility| Syslog_level, "history:pid=%d ppid=%d sid=%d  user=%s user=%s cmd=%s", Getpid (), Getppid (), GetSID (Getpid ()),  Current_user.user_name, p, line);  else    {      strncpy (trunc, line, Syslog_maxlen);      Trunc[syslog_maxlen-1] = ";      Syslog (syslog_facility| Syslog_level, "History (truncated): pid=%d  ppid=%d sid=%d user=%s user=%s cmd=%s", Getpid (), Getppid (), GetSID ( Getpid ()), Current_user.user_name, p, trunc);}    }

3.4 Configure the installation path, compile the installation, and compile to the/usr/local/directory.

[Email protected] bash-4.1]#/configure--prefix=/usr/local/bash_new[[email protected] bash-4.1]# make && Make Install...if test "bash" = "gettext-tools"; Then           /bin/sh/root/bash-4.1/./support/mkinstalldirs/usr/local/bash_new/share/gettext/po;           For file in Makefile.in.in remove-potcdate.sin quot.sed boldquot.sed [email protected] [email protected] insert-header.si n Rules-quot   makevars.template; do             /usr/bin/install-c-M 644./$file                             /usr/local/bash_new/share/gettext/ po/$file;           Done;           for file in Makevars; Do             rm-f/usr/local/bash_new/share/gettext/po/$file;           Done;         else           :;         FIMAKE[1]: Leaving directory '/root/bash-4.1/po '

Once the compilation is complete, append the new bash to/etc/shells and modify the root user's login shell environment for the newly compiled shell. As follows

[[email protected] bash-4.1]# echo "/usr/local/bash_new/bin/bash" >>/etc/shells[[email protected] bash-4.1]# cat /etc/shells/bin/sh/bin/bash/sbin/nologin/bin/dash/usr/local/bash_new/bin/bash

[Email protected] bash-4.1]# Vim/etc/passwdroot:x:0:0:root:/root:/usr/local/bash_new/bin/bash

Log out of the current root user, re-login, view/var/log/messages, as follows, you can see the record Operation command

Iv. SSH client generation key section

4.1 on CLIENT1 (192.168.30.99) operation, user Zhangsan

View Code

-T encryption algorithm
-C Comment (plus this is also a key point for the final identification of server visitors)

Upload the public key to the. ssh/authorized_keys file on the server. The Ssh-copy-id command automatically creates a. ssh/authorized_keys file on the server, even if the directory does not exist and automatically assigns 600 permissions.

[Email protected] ~]# ssh-copy-id-i/root/.ssh/id_rsa.pub [email protected][email protected] ' s Password:now try Logging Into the machine, with "ssh" [email protected] ' ", and check in:  . Ssh/authorized_keysto Make sure we haven ' t added ext RA keys that you weren ' t expecting.

4.3 Client 2 (192.168.30.71) on the same operation, the user Lisi

View Code

Upload the public key to the server

[Email protected] ~]# ssh-copy-id-i/root/.ssh/id_rsa.pub [email protected]the authenticity of host ' 192.168.30.72 (192. 168.30.72) ' can ' t be established. RSA key fingerprint is 8f:a7:1b:8d:e4:92:ad:ae:ea:1b:fb:67:0b:0b:7c:ac. Is you sure want to continue connecting (yes/no)? yeswarning:permanently added ' 192.168.30.72 ' (RSA) to the list of known hosts. [email protected] ' s Password:now try logging into the machine, with "ssh" [email protected] ' ", and check in:  . Ssh/auth Orized_keysto Make sure we haven ' t added extra keys and you weren ' t expecting.

4.4 Now go to verify the file on the server.

View Code

Now the above two clients can already be free of key login, now go to the server configuration, and create scripts.

V. Configure the server

5.1 Create a keys file in the log directory, which is used to store the public key when logging in, and then check it out.

[Email protected] ~]# Touch/var/log/keys

Create a detection script that reads as follows:

View Code

5.2 Configure profile to add a line at the end of the file as follows:

[Email protected] ~]# echo "Test-f/etc/checkuser.sh &&. /etc/checkuser.sh ">>/etc/profile

Add the following at the end of the/ETC/BASHRC:

[[email protected] ~]# tail-1f/etc/bashrctest-z "$BASH _execution_string" | | {test-f/etc/checkuser.sh &&/etc/checkuser.sh logger-t-bash-s "History $SSH _client user= $NAME _of_key cmd= $BASH _execution_string ">/dev/null 2>&1;}

5.3 Modify the sshd configuration file, turn on debug mode, and restart the sshd service

[[email protected] ~]# sed-i ' s/#LogLevel info/loglevel debug/g '/etc/ssh/sshd_config[[email protected] ~]# service sshd restartstopping sshd:                                             [  OK  ]starting sshd:                                             [  OK  ]

VI. Verification

6.1 Log in on CLIENT1 and delete files (Zhangsan)

6.2 Log on CLIENT2, delete files, and execute a command to restart the service (LISI)

6.3 Go to the server to view the following messages log, the content is as follows

Through, you can see, not through the user's client through the public key login way, identify who operated what, when to operate.

(Note: The 4th paragraph swift1 is the hostname of this server, because I just ran the hostname command to modify the hostname, and did not modify the networks, so the kernel is the previous name: Swift1. ）

Vii. End of

In this way, the problem of multi-root user login operation and the inability to audit is greatly solved. And can be combined with log forwarding, the system log forward to other servers, even if the host is hacked, can also be specific to review the time of landing and what actions have been done.

Linux with different OPS personnel sharing root account Authority audit