生产环境日志审计解决方案
所谓日志审计,就是记录所有系统及相关用户行为的信息,并且可以自动分析、处理、展示(包括文本或者录像)
法1)通过环境变量命令及syslog服务进行全部日志审计(信息太大,不推荐)
法2)sudo配合syslog服务,进行日志审计(信息较少,效果不错)
法3)在bash解释器程序里嵌入一个监视器,让所有被审计的系统用户使用修改过的增加了监视器的特殊bash程序作为解释程序
法4)齐治的堡垒机:商业产品
我们今天要学习的是:sudo日志审计:专门对使用sudo命令的系统用户记录其执行的命令相关信息。
1) 安装sudo命令,syslog服务(centos6.4为rsyslog服务)
(默认情况Centos5.8系统中已经安装sudo,syslog服务,按前文讲解的安装系统的方式安装也会安装好上述命令服务,如果没有安装,可以执行下边的命令安装,要确保可以上网)
[root@c58 ~] rpm –qa|egrep “sudo|syslog”
rsyslog-3.22.1-7.el5
sudo-1.7.2p1-13.el5
[root@c65 ~]# rpm -qa |egrep"sudo|syslog"
sudo-1.8.6p3-12.el6.x86_64
rsyslog-5.8.10-8.el6.x86_64
如果没有安装则执行下面的命令安装:
yum install –y sudo syslog
2) 配置/etc/sudoers
增加配置“Defaults logfile=/var/log/sudo.log” 到/etc/sudoers中,注意:不包含引号。
[root@oldboy ~]# echo "Defaults logfile=/var/log/sudo.log" >>/etc/sudoers
[root@oldboy ~]# tail -1 /etc/sudoers
Defaults logfile=/var/log/sudo.log
[root@oldboy ~]# visudo –c //检查sudoers文件语法
/etc/sudoers: parsed OK
提示:下面的3),4)可以不执行,直接切换到普操作,然后查看/var/log/sudo.log有无记录。
3) 配置系统日志/etc/rsyslog.conf
增加配置local2.debug到/etc/rsyslog.conf中。
[root@oldboy ~]# echo"local2.debug /var/log/sudo.log" >> /etc/rsyslog.conf
[root@oldboy ~]# tail -1 /etc/rsyslog.conf //查看配置结果
local2.debug /var/log/sudo.log
提示:如果是Centos5.8路径为/etc/syslog.conf
echo "local2.debug /var/log/sudo.log" >>/etc/syslog.conf
配置命令(只适合Centos6系列)
echo "local2.debug /var/log/sudo.log" >> /etc/audisp/plugins.d/syslog.conf
4) 重启rsyslog内核日志记录器
[root@oldboy ~]# /etc/init.d/rsyslogrestart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
提示:如果是Centos5.8启动命令如下
[root@oldboy ~]# /etc/init.d/syslog restart
Shutting down kernel logger: [ OK ]
Starting down system logger: [ OK ]
Shutting system logger: [ OK ]
Starting kernel logger: [ OK ]
此时,会自动建立一个/var/log/sudo.log文件(日志上配置的名字)并且文件权限为600(-rw-------)所有都和组均为root(如果看不到日志文件,就退出重新登录看看)。
[root@oldboy ~]# ls -l /var/log/sudo.log //确保只有root才能查看
-rw------- 1 root root 0 Jan 28 12:25/var/log/sudo.log
5)测试sudo日志审计配置结果
根据前文讲解的建立用户chuji001拥有sudo权限。同时使用root用户登录查看/var/log/sudo.log
chuji001用户下操作:
[oldboy@oldboy ~]$ whoami
oldboy
[oldboy@oldboy ~]$ sudo su -
[root@oldboy ~]# su - chuji001
[chuji001@oldboy ~]$ sudo -l
[sudo] password for chuji001:
Matching Defaults entries for chuji001 onthis host:
requiretty, !visiblepw, always_set_home, env_reset,env_keep="COLORS DISPLAY HOSTNAME
HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATIONLC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPERLC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin,
logfile=/var/log/sudo.log
User chuji001 may run the following commands on this host:
(root) /usr/bin/free,/usr/bin/iostat, /usr/bin/top, /bin/hostname, /sbin/ifconfig,/bin/netstat,/sbin/route
[chuji001@oldboy ~]$ whoami
chuji001
[chuji001@oldboy ~]$ sudouseradd aaaa
Sorry,user chuji001 is not allowed to execute '/usr/sbin/useradd aaaa' as root onoldboy.
root用户下查看(为了日志的安全,仅能在root用户下查看):
[root@oldboy ~]# ls -l /var/log/sudo.log
-rw------- 1 root root 314 Jan 28 12:34/var/log/sudo.log
[root@oldboy ~]# cat /var/log/sudo.log
Jan 28 12:33:10 : oldboy : TTY=pts/1 ; PWD=/home/oldboy ; USER=root ;
COMMAND=/bin/su -
Jan 28 12:33:21 : chuji001 : TTY=pts/1 ; PWD=/home/chuji001 ; USER=root;
COMMAND=list
Jan28 12:34:09 : chuji001 : command not allowed ; TTY=pts/1 ;
PWD=/home/chuji001 ; USER=root ;COMMAND=/usr/sbin/useradd aaaa
kaifamanager001用户下操作:
[kaifamanager001@oldboy ~]$ sudo -l
Matching Defaults entries forkaifamanager001 on this host:
requiretty, !visiblepw, always_set_home, env_reset,env_keep="COLORS DISPLAY HOSTNAME
HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATIONLC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPERLC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin,
logfile=/var/log/sudo.log
Userkaifamanager001 may run the following commands on this host:
(ALL) ALL, (ALL) /usr/bin/passwd [A-Za-z]*,(ALL) !/usr/bin/passwd root, (ALL)
!/usr/sbin/visudo, (ALL) !/usr/bin/vi *sudoer*,(ALL) !/usr/bin/vim, (ALL) !/bin/su -
[kaifamanager001@oldboy ~]$ whoami
kaifamanager001
[kaifamanager001@oldboy ~]$ sudo su -
Sorry,user kaifamanager001 is not allowed to execute '/bin/su -' as root on oldboy.
root用户下查看(为了日志的安全,仅能在root用户下查看):
[root@oldboy ~]# ls -l /var/log/sudo.log
-rw------- 1 root root 748 Jan 28 12:41/var/log/sudo.log
[root@oldboy ~]# cat /var/log/sudo.log
Jan 28 12:33:10 : oldboy : TTY=pts/1 ;PWD=/home/oldboy ; USER=root ;
COMMAND=/bin/su -
Jan 28 12:33:21 : chuji001 : TTY=pts/1 ;PWD=/home/chuji001 ; USER=root ;
COMMAND=list
Jan 28 12:34:09 : chuji001 : command notallowed ; TTY=pts/1 ;
PWD=/home/chuji001 ; USER=root ; COMMAND=/usr/sbin/useradd aaaa
Jan 28 12:39:36 : kaifamanager001 :TTY=pts/1 ; PWD=/home/kaifamanager001 ;
USER=root ; COMMAND=list
Jan 28 12:40:29 : oldboy : TTY=pts/2 ;PWD=/home/oldboy ; USER=root ;
COMMAND=/bin/su -
Jan 28 12:40:53 : kaifamanager001 :TTY=pts/1 ; PWD=/home/kaifamanager001 ;
USER=root ; COMMAND=list
Jan28 12:41:07 : kaifamanager001 : command not allowed ; TTY=pts/1 ;
PWD=/home/kaifamanager001 ; USER=root; COMMAND=/bin/su –
kaifamanager001用户下操作:
[kaifamanager001@oldboy ~]$ sudo vi/etc/sudoers
##pri config
senior001 ALL=(OP) GY_CMD_1
manager001 ALL=(ALL) NOPASSWD:ALL
kaifamanager001 ALL=(ALL) NOPASSWD:ALL,/usr/bin/passwd[A-Za-z]*,!/usr/bin/passwd root,!/usr/sbin/visudo,!/usr/bin/vi*sudoer*,!/usr/bin/vim,!/bin/su -
[kaifamanager001@oldboy ~]$ sudo grep"NOPASSWD:ALL" /etc/sudoers
manager001 ALL=(ALL) NOPASSWD:ALL
kaifamanager001 ALL=(ALL) NOPASSWD:ALL,/usr/bin/passwd [A-Za-z]*,!/usr/bin/passwdroot,!/usr/sbin/visudo,!/usr/bin/vi *sudoer*,!/usr/bin/vim,!/bin/su -
[kaifamanager001@oldboy ~]$ sudo su – root //提权后,就能切换到root用户下,非常危险的
[root@oldboy~]#
root用户下查看(为了日志的安全,仅能在root用户下查看):
[root@oldboy ~]# ls -l /var/log/sudo.log
-rw------- 1 root root 1259 Jan 28 12:47/var/log/sudo.log
[root@oldboy ~]# cat /var/log/sudo.log
Jan 28 12:33:10 : oldboy : TTY=pts/1 ;PWD=/home/oldboy ; USER=root ;
COMMAND=/bin/su -
Jan 28 12:33:21 : chuji001 : TTY=pts/1 ;PWD=/home/chuji001 ; USER=root ;
COMMAND=list
Jan 28 12:34:09 : chuji001 : command notallowed ; TTY=pts/1 ;
PWD=/home/chuji001 ; USER=root ; COMMAND=/usr/sbin/useradd aaaa
Jan 28 12:39:36 : kaifamanager001 :TTY=pts/1 ; PWD=/home/kaifamanager001 ;
USER=root ; COMMAND=list
Jan 28 12:40:29 : oldboy : TTY=pts/2 ;PWD=/home/oldboy ; USER=root ;
COMMAND=/bin/su -
Jan 28 12:40:53 : kaifamanager001 : TTY=pts/1; PWD=/home/kaifamanager001 ;
USER=root ; COMMAND=list
Jan 28 12:41:07 : kaifamanager001 : commandnot allowed ; TTY=pts/1 ;
PWD=/home/kaifamanager001 ; USER=root ; COMMAND=/bin/su -
Jan28 12:46:09 : kaifamanager001 : TTY=pts/1 ; PWD=/home/kaifamanager001 ;
USER=root ; COMMAND=/bin/vi /etc/sudoers
Jan28 12:47:32 : kaifamanager001 : TTY=pts/1 ; PWD=/home/kaifamanager001 ;
USER=root ; COMMAND=/bin/grep NOPASSWD:ALL/etc/sudoers
Jan28 12:47:41 : kaifamanager001 : TTY=pts/1 ; PWD=/home/kaifamanager001 ;
USER=root ; COMMAND=/bin/su – root
日志集中管理(了解):
1) rsync+inotify或定时任务+rsync,推到日志管理服务器上,10.0.0.7——20130302.sudo.log
2) rsyslog服务来处理
[root@mysql-a ~]# echo “10.0.2.164logserver”>>/etc/hosts
#日志服务器地址。
[root@mysql-a ~]# echo “*.info @logserver”>>/etc/rsyslog.conf 适合所有日志推走
3) 日志收集解决方案