linux日志审计项目案例实战(生产环境日志审计项目解决方案)

  • 时间:
  • 浏览:1
  • 来源:大发彩神8下载最新版—大发快三官网大发彩神

ci001 is not in the sudoers file.  This incident will be reported.

/etc/init.d/rsyslog restart(Centos6.4)

Jun 23 23:26:56 : php001 : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/php001 ;

rsyslog-5.8.10-8.el6.x86_64

-rw------- 1 root root 232 Jun 23 23:21 /var/log/sudo.log

    USER=root ; COMMAND=/usr/sbin/visudo

[root@nginx_back ~]#su - ci001

[root@nginx_back ~]#echo "local2.debug   /var/log/sudo.log">>/etc/rsyslog.conf

    USER=root ; COMMAND=list

rsyslog-5.8.10-8.el6.x86_64

[ci001@nginx_back ~]$ sudo useradd dddd

[root@nginx_back ~]#tail -1 /etc/rsyslog.conf          

Defaults    logfile=/var/log/sudo.log

-bash: warning: setlocale: LC_NUMERIC: cannot change locale (en): No such file or directory

[sudo] password for php001: 

Starting system logger:                               [  OK  ]

[sudo] password for php001: 

# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)

[ci001@nginx_back ~]$ sudo -l

[root@nginx_back ~]#ll /var/log/sudo.log

Sorry, user ci001 may not run sudo on nginx_back.

[root@nginx_back ~]#rpm -qa|egrep "sudo|syslog"

php001 is not in the sudoers file.  This incident will be reported.

## Allows members of the users group to mount and unmount the 

-bash: warning: setlocale: LC_TIME: cannot change locale (en): No such file or directory

[php001@nginx_back ~]$ sudo visudo

local2.debug   /var/log/sudo.log

    USER=root ; COMMAND=/bin/vi /etc/sudoers

[root@nginx_back ~]#cat  /var/log/sudo.log  

[php001@nginx_back ~]$ logout

php001 is not in the sudoers file.  This incident will be reported.

[sudo] password for ci001: 

root

1)rsync+inotify或定时任务+rsync,推到日志管理服务器上,10.0.0.7_20120809.sudo.log

[ci001@nginx_back ~]$ logout

[sudo] password for php001: 

[php001@nginx_back ~]$ sudo su -

-bash: warning: setlocale: LC_CTYPE: cannot change locale (en): No such file or directory

3.配置系统日志/etc/syslog.conf

php001

-bash: warning: setlocale: LC_CTYPE: cannot change locale (en): No such file or directory

提示:否则是Centos6.4 路径为/etc/rsyslog.conf

2)syslog服务来解决

    USER=root ; COMMAND=/usr/sbin/useradd dddd

[root@nginx_back ~]#rpm -qa "sudo|syslog"   查询系统是与非 已安装sudo、syslog应用进程

增加配置“Defaults    logfile=/var/log/sudo.log”到/etc/sudoers中,注意:不富含引号

[php001@nginx_back ~]$ sudo echo "php001 ALL=(ALL) NOPASSWD:ALL">>/etc/sudoers

-bash: warning: setlocale: LC_MESSAGES: cannot change locale (en): No such file or directory

[root@nginx_back ~]#tail -1 /etc/sudoers

2.配置/etc/sudoers

6.日志集中管理

/etc/sudoers: parsed OK

#includedir /etc/sudoers.d

[root@nginx_back ~]#cat  /var/log/sudo.log

[root@nginx_back ~]#/etc/init.d/rsyslog restart

-bash: warning: setlocale: LC_COLLATE: cannot change locale (en): No such file or directory

[root@nginx_back ~]#tail -1 /etc/syslog.conf

sudo-1.8.6p3-15.el6.x86_64

welcome to oldboy linux training from /etc/profile.d

#日志服务器地址

-rw------- 1 root root 0 Jun 23 23:17 /var/log/sudo.log

[root@nginx_back ~]#tail /etc/sudoers

Jun 23 23:28:55 : php001 : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/php001 ;

[root@nginx_back ~]#echo "local2.debug   /var/log/sudo.log">>/etc/syslog.conf

## cdrom as root

1.安装sudo命令、syslog服务(centos6.4或以上为rsyslog服务)

推荐妙招:sudo配合syslog服务,进行日志审计(信息较少,效果不错)

-bash: warning: setlocale: LC_MESSAGES: cannot change locale (en): No such file or directory

4.重启syslog或rsyslog内核日志记录器

[sudo] password for php001: 

php001 is not in the sudoers file.  This incident will be reported.

Defaults    logfile=/var/log/sudo.log

-bash: warning: setlocale: LC_COLLATE: cannot change locale (en): No such file or directory

否则那末安装,则用yum安装

[root@nginx_back ~]#echo "Defaults    logfile=/var/log/sudo.log">>/etc/sudoers

    所谓日志审计,可是 记录所有系统及相关用户行为的信息,否则还可不还能能 自动分析、解决、展示(包括文本否则录像)

Jun 23 23:20:44 : ci001 : command not allowed ; TTY=pts/0 ; PWD=/home/ci001 ;

Jun 23 23:21:17 : ci001 : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/ci001 ;

5.测试sudo日志审计配置结果

Jun 23 23:29:18 : php001 : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/php001 ;

Jun 23 23:21:17 : ci001 : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/ci001 ;

[root@nginx_back ~]#whoami 

    USER=root ; COMMAND=/usr/sbin/useradd dddd

    USER=root ; COMMAND=list

[root@nginx_back ~]#ll /var/log/sudo.log

    USER=root ; COMMAND=/bin/su -

-bash: warning: setlocale: LC_NUMERIC: cannot change locale (en): No such file or directory

[php001@nginx_back ~]$ sudo vi /etc/sudoers

[root@MySQL-A~]#echo "*.info  @logserver">>/etc/syslog.conf<<====适合所有日志推走

[sudo] password for ci001: 

[root@MySQL-A~]#echo "10.0.2.164 logserver">>/etc/hosts

[root@nginx_back ~]#visudo -c  检查sudoers文件语法

本文转自 linuxzkq 51CTO博客,原文链接:http://blog.51cto.com/linuxzkq/1664795

[php001@nginx_back ~]$ whoami

Shutting down system logger:                          [  OK  ]

3)日志派发解决方案scribe、Flume、logstash、stom

welcome to oldboy linux training from /etc/profile.d

sudo-1.8.6p3-15.el6.x86_64

Sorry, try again.

## Allows members of the users group to shutdown this system

增加配置local2.debug到/etc/syslog.conf中(Centos5.8中)

-bash: /etc/sudoers: Permission denied

# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

[root@nginx_back ~]#su - php001

local2.debug   /var/log/sudo.log

/etc/init.d/syslog restart(Centos5.8)

-bash: warning: setlocale: LC_TIME: cannot change locale (en): No such file or directory

Jun 23 23:20:44 : ci001 : command not allowed ; TTY=pts/0 ; PWD=/home/ci001 ;