First, why?
650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/790056/201605/790056-20160526203556428-1428179133. JPG "style=" border:0px;margin-left:auto;margin-right:auto; "/>
In small and medium enterprises, the company's different operations and maintenance personnel are basically the root account of the server login management, lack of account authority audit system. No problem OK, out of the question, it is difficult to find the source.
Here, how to use the Compile bash to enable different clients to log in using root server, log their operations, and can be combined with the Elk Log Analysis System, to collect logging operations log
Second, the environment
Server: CentOS 6.5, development tools, use key authentication, SElinux off.
Client: Generate a key pair for logging on to the server (2 units)
Third, build the deployment (Server Operation 192.168.30.72)
3.1 Download Compile Bash
[Email protected] ~]# wget http://ftp.gnu.org/gnu/bash/bash-4.1.tar.gz[[email protected] ~]# tar xvf bash-4.1.tar.gz[[ Email protected] ~]# CD bash-4.1
3.2 First modify the next config-top.c file, about 94 lines, 104 lines, because the C language annotation is/**/, so do not delete the wrong. Modify the following:
[Email protected] bash-4.1]# vim config-top.c#define ssh_source_bashrc#define syslog_history
3.3 Modify the next bashhist.c file so that the commands on the terminal are logged to the system messages, and in the specified format. And pass in the obtained variable. The revised content is as follows:
650) this.width=650; "src="/img/fz.gif "alt=" Copy Code "style=" border:0px; "/>
[[email protected] bash-4.1]# vim bashhist.c#... omit part of paragraph voidbash_syslog_history ( Line) const char *line; { char trunc[syslog_maxlen]; const char *p; p = getenv ("Name_of_key"); if (strlen (line) < syslog_maxlen) syslog (syslog_facility| syslog_level, "history: pid=%d ppid=%d sid=%d user=%s user=%s cmd=%s" , getpid (), getppid (), getsid (Getpid ()), current_user.user_name, p, line); else { strncpy (Trunc, line, syslog_maxlen); trunc[syslog_maxlen - 1] = ' '; syslog (syslog_facility| syslog_level, "history (truncated): &NBSP;PID=%D&NBsp; ppid=%d sid=%d user=%s user=%s cmd=%s ", getpid (), getppid (), GetSID (Getpid ()), current_user.user_name, p, trunc); }}
650) this.width=650; "src="/img/fz.gif "alt=" Copy Code "style=" border:0px; "/>
3.4 Configure the installation path, compile the installation, and compile to the/usr/local/directory.
650) this.width=650; "src="/img/fz.gif "alt=" Copy Code "style=" border:0px; "/>
[[email protected] bash-4.1]# ./configure --prefix=/usr/local/bash_new[[email protected] bash-4.1]# make && make install...if test "Bash" = "Gettext-tools"; then /bin/sh /root/bash-4.1/./support/mkinstalldirs /usr/local/bash_new/share/gettext/po; \ for file in Makefile.in.in Remove-potcdate.sin quot.sed boldquot.sed [email protected] [email protected] insert-header.sin Rules-quot Makevars.template; do /usr/bin/install -c -m 644 ./$file /usr/local/bash_new/share/gettext/po/$file; \ done; \ for file In makevars; do \ rm -f /usr/local/bash_new/share/gettext/po/$file; \ done; \ else : ; \ fimake[1]: leaving directory '/root/bash-4.1/po '
650) this.width=650; "src="/img/fz.gif "alt=" Copy Code "style=" border:0px; "/>
Once the compilation is complete, append the new bash to/etc/shells and modify the root user's login shell environment for the newly compiled shell. As follows
650) this.width=650; "src="/img/fz.gif "alt=" Copy Code "style=" border:0px; "/>
[[email protected] bash-4.1]# echo "/usr/local/bash_new/bin/bash" >>/etc/shells[[email protected] bash-4.1]# cat /etc/shells/bin/sh/bin/bash/sbin/nologin/bin/dash/usr/local/bash_new/bin/bash
650) this.width=650; "src="/img/fz.gif "alt=" Copy Code "style=" border:0px; "/>
[Email protected] bash-4.1]# Vim/etc/passwdroot:x:0:0:root:/root:/usr/local/bash_new/bin/bash
Log out of the current root user, re-login, view/var/log/messages, as follows, you can see the record Operation command
650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/790056/201605/790056-20160526184223256-530738615. JPG "style=" border:0px; "/>
Iv. SSH client generation key section
4.1 on CLIENT1 (192.168.30.99) operation, user Zhangsan
650) this.width=650, "src="/img/jia.gif "style=" border:0px; "/> View Code
-T encryption algorithm
-C Comment (plus this is also a key point for the final identification of server visitors)
Upload the public key to the. ssh/authorized_keys file on the server. The Ssh-copy-id command automatically creates a. ssh/authorized_keys file on the server, even if the directory does not exist and automatically assigns 600 permissions.
650) this.width=650; "src="/img/fz.gif "alt=" Copy Code "style=" border:0px; "/>
[Email protected] ~]# ssh-copy-id-i/root/.ssh/id_rsa.pub [email protected]@192.168.30.72 ' s Password:now try logging in To the machine, with "ssh" [email protected] ' ", and check in:. Ssh/authorized_keysto make sure we haven ' t added extra key s so you weren ' t expecting.
650) this.width=650; "src="/img/fz.gif "alt=" Copy Code "style=" border:0px; "/>
4.3 Client 2 (192.168.30.71) on the same operation, the user Lisi
650) this.width=650, "src="/img/jia.gif "style=" border:0px; "/> View Code
Upload the public key to the server
650) this.width=650; "src="/img/fz.gif "alt=" Copy Code "style=" border:0px; "/>
[Email protected] ~]# ssh-copy-id-i/root/.ssh/id_rsa.pub [email protected] authenticity of host ' 192.168.30.72 (192.168 .30.72) ' can ' t be established. RSA key fingerprint is 8f:a7:1b:8d:e4:92:ad:ae:ea:1b:fb:67:0b:0b:7c:ac. Is you sure want to continue connecting (yes/no)? yeswarning:permanently added ' 192.168.30.72 ' (RSA) to the list of known hosts. [email protected] ' s Password:now try logging into the machine, with "ssh" [email protected] ' ", and check in:. Ssh/authori Zed_keysto Make sure we haven ' t added extra keys and you weren ' t expecting.
650) this.width=650; "src="/img/fz.gif "alt=" Copy Code "style=" border:0px; "/>
4.4 Now go to verify the file on the server.
650) this.width=650, "src="/img/jia.gif "style=" border:0px; "/> View Code
Now the above two clients can already be free of key login, now go to the server configuration, and create scripts.
V. Configure the server
5.1 Create a keys file in the log directory, which is used to store the public key when logging in, and then check it out.
[Email protected] ~]# Touch/var/log/keys
Create a detection script that reads as follows:
650) this.width=650, "src="/img/jia.gif "style=" border:0px; "/> View Code
5.2 Configure profile to add a line at the end of the file as follows:
[Email protected] ~]# echo "Test-f/etc/checkuser.sh &&. /etc/checkuser.sh ">>/etc/profile
Add the following at the end of the/ETC/BASHRC:
[[email protected] ~]# tail-1f/etc/bashrctest-z "$BASH _execution_string" | | {test-f/etc/checkuser.sh &&/etc/checkuser.sh logger-t-bash-s "History $SSH _client user= $NAME _of_key cmd= $BASH _execution_string ">/dev/null 2>&1;}
5.3 Modify the sshd configuration file, turn on debug mode, and restart the sshd service
[[email protected] ~]# sed -i ' s/#LogLevel info/loglevel debug/g ' /etc/ssh/sshd_config[[email protected] ~]# service sshd restartStopping sshd: &NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;[&NBSP;&NBSP;OK&NBSP;&NBSP;]STARTING&NBSP;SSHD: [ ok ]
VI. Verification
6.1 Log in on CLIENT1 and delete files (Zhangsan)
650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/790056/201605/790056-20160526201902897-912860951. JPG "style=" border:0px; "/>
6.2 Log on CLIENT2, delete files, and execute a command to restart the service (LISI)
650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/790056/201605/790056-20160526202026022-1175781537. JPG "style=" border:0px; "/>
6.3 Go to the server to view the following messages log, the content is as follows
650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/790056/201605/790056-20160526202308928-1375752892. JPG "style=" border:0px; "/>
Through, you can see, not through the user's client through the public key login way, identify who operated what, when to operate.
(Note: The 4th paragraph swift1 is the hostname of this server, because I just ran the hostname command to modify the hostname, and did not modify the networks, so the kernel is the previous name: Swift1. )
Vii. End of
In this way, the problem of multi-root user login operation and the inability to audit is greatly solved. And can be combined with log forwarding, the system log forward to other servers, even if the host is hacked, can also be specific to review the time of landing and what actions have been done.
The root account rights audit is shared by different OPS operators in Linux