Enterprise Audit Shell安装(EAS - linux审计工具)

Enterprise Audit Shell安装(EAS - linux审计工具)

    EAS是一个CS架构的审计软件,可以对用户的登录SESSION进行监控,并replay用户执行过的命令。,资料实在太少了,06年就停止更新的东西,不过还有很多公司在用,不支持sz rs,如果有这个需求的,要有二次开发的准备,或者放弃使用。

EAS分为EASD服务端和EASH客户端。

1、安装openssl

[root@localhost ~]# yum install openssl

2、安装EAS

http://pan.baidu.com/s/1pJ4Rrth    #没有VPS,我把安装包放在百度网盘,我只能帮你们到这了。。

[root@localhost ~]# tar xvf eas-2.0.00.tar.bz2

[root@localhost ~]# cd eas-2.0.00

[root@localhost ~]#./configure --prefix=/usr/local/eas

[root@localhost ~]# make

[root@localhost ~]# make install

安装后,会生成/usr/local/eas目录,包含bin(客户端)和sbin(服务端)目录包含可执行命令

并生成/etc/eas目录.

[root@localhost ~]# vi /etc/profile

PATH=$PATH:/usr/local/eas/bin:/usr/local/eas/sbin

 #把eas的执行路径加到系统的搜索路径里

2、服务端配置

[root@localhost ~]# vim /etc/eas/easd_config

Port 5554  #服务监听端口

SessionDirectory /var/log/easd    #Session存放目录

IdleTimeout 7200    #最大空闲时间

#Sync _IONBF    #缓存级别,Sync_IOFBF可缓存用户当前session(用户在线时也可以对用户进行监控和replay).对性能有影响。

User 0    #运行easd守护进程的用户,user 0代表启动easd服务的用户

LogLevel INFO    #日志级别

Method SSLv3    #客户端和SERVER段连接方式

PrivateKey /etc/eas/certs/server.pem    #Server端证书

CertificateAuthority/etc/eas/certs/root.pem    #Root证书

3、客户端文件配置

[root@localhost ~]# vim /etc/eas/eash_config

Port 5554    #连接服务端端口

LogServer localhost   # 配置easd服务端ip地址

DefaultShell /bin/bash    #eash调用的系统shell

客户端需要注意的配置已经列出,其他配置和服务端配置文件相同含义。

4、生成证书

eash和easd使用ssl加密传输,需要在client和server生成证书。Eas自带证书生成工具

[root@localhost eas-2.0.00]# cd eas-2.0.00

[root@localhost eas-2.0.00]# tar xvfeas-mkcerts.tar

[root@localhost eas-2.0.00]# cd certs/

[root@localhost certs]# cp mkcertsmkcerts.bak

[root@localhostcerts]# vim mkcerts

以下是mkcert文件内容 标下划线四处位置需要注意,将默认的root.cnf改为对应的cnf

----------------------------------------------------------------------

#!/bin/bash

OPENSSL=/usr/local/openssl/bin/openssl                          #这里改成你openssl的路径

# Remove old files.

rm -f index.txt*

rm -f serial*

rm -f *.pem

rm -f *.key

rm -rf CA

 

# Create new CA directory

mkdir CA

mkdir CA/private

mkdir CA/certs

 

# Create the necesary files

touch CA/index.txt

echo 01 > CA/serial

 

# Do the work

cat banners/1 && $OPENSSL req-newkey rsa:1024 -keyout CA/private/cakey.pem -out CA/careq.pem -configconf/root.cnf

cat banners/2 && $OPENSSL ca-config conf/root.cnf -out root.pem -days 1095 -batch -keyfileCA/private/cakey.pem -selfsign -infiles CA/careq.pem

 

cat banners/3 && $OPENSSL req-newkey rsa:1024 -config conf/client.cnf -keyout client.pem -out newreq.pem-days 365

cat banners/4 && $OPENSSL ca  -config conf/client.cnf -batch -outnewcert.pem -infiles newreq.pem

cat banners/5 && $OPENSSL rsa <client.pem > client.key

cat client.key newcert.pem > client.pem

rm -f client.key

rm -f newcert.pem

rm -f newreq.pem

 

cat banners/6 && $OPENSSL req-newkey rsa:1024 -config conf/server.cnf -keyout server.pem -out newreq.pem-days 365

cat banners/7 && $OPENSSL ca  -config conf/server.cnf -batch -outnewcert.pem -infiles newreq.pem

cat banners/5 && $OPENSSL rsa <server.pem > server.key

cat server.key newcert.pem > server.pem

rm -f server.key

rm -f newcert.pem

rm -f newreq.pem

----------------------------------------------------------------------

[root@localhost certs]# ./mkcerts

输入自定义密码,一路回车。

[root@localhost certs]# cp root.pem/etc/eas/certs/

[root@localhost certs]# cp server.pem /etc/eas/certs/

#把server.pem和root.pem复制到server服务器/etc/eas/certs目录下,该路径在easd_config配置文件中指定。

[root@localhost certs]# scp /usr/src/redhat/SOURCES/eas-2.0.00/certs/client.pem 192.168.1.236: /etc/eas/certs/

[root@localhost certs]# scp /usr/src/redhat/SOURCES/eas-2.0.00/certs/root.pem 192.168.1.236: /etc/eas/certs/

#把client.pem和root.pem复制到客户端服务器/etc/eas/certs目录下,该路径在eash_config文件中指定。

5、启动,停止easd

[root@localhost certs]#/usr/local/eas/sbin/easd                             #启动

[root@localhost certs]# kill `cat/var/run/easd.pid`                          #停止

6、客户端配置

客户端使用eash有多种方法:

[root@localhost certs]# SHELL=/bin/basheash       

[root@localhost certs]# echo"SHELL=/bin/bash eash" >> /root/.bashrc

#可以让用户登录自动执行该命令。也可以:

[root@localhost certs]# vi/etc/passwd

在passwd中修改用户的登录shell为eash。

7、监控、回放

REPLAY

    [root@localhostcerts]# eas_replay    #查看所有客户端的登录SESSION  

[root@localhostcerts]# eas_replay -n 27    #查看ID27这个SESSION所有执行过的命令

8、Sqlite DB

Eas使用sqlite数据库存储session信息,用二进制文件存储用户输入输出数据

[root@ldap1 ~]# [root@localhost easd]# ls

127.0.0.1 192.168.1.235  192.168.1.236  db    #以IP命名的目录

 数据库常用功能

sqlite3 /var/log/easd/db

.databases             List names and files of attacheddatabases

.dump ?TABLE? ...      Dump the database in an SQL text format

.echo ON|OFF           Turn command echo on or off

.exit                  Exit this program

.explain ON|OFF        Turn output mode suitable for EXPLAINon or off.

.header(s) ON|OFF      Turn display of headers on or off

.help                  Show this message

.import FILE TABLE     Import data from FILE into TABLE

.indices TABLE         Show names of all indices on TABLE

.mode MODE ?TABLE?     Set output mode where MODE is one of:

                         csv      Comma-separated values

                         column   Left-aligned columns.  (See .width)

                         html     HTML <table> code

                         insert   SQL insert statements for TABLE

                         line     One value per line

                         list     Values delimited by .separator string

                         tabs     Tab-separated values

                         tcl      TCL list elements

.nullvalue STRING      Print STRING in place of NULL values

.output FILENAME       Send output to FILENAME

.output stdout         Send output to the screen

.prompt MAIN CONTINUE  Replace the standard prompts

.quit                  Exit this program

.read FILENAME         Execute SQL in FILENAME

.schema ?TABLE?        Show the CREATE statements

.separator STRING      Change separator used by output mode and.import

.show                  Show the current values forvarious settings

.tables ?PATTERN?      List names of tables matching a LIKEpattern

.timeout MS            Try opening locked tables for MSmilliseconds

.width NUM NUM ...     Set column widths for "column"mode

 

sqlite> .tables                                       #查询表

USER

sqlite>.schema USER                          #查询表结构

 

sqlite> sqlite> select * from USERwhere id =1;

1|0|0|0|0|0|0|56544|5041|root|root|root|root|root|root|/dev/pts/0|127.0.0.1|COMPLETE|SESSION|SSLv3|AES256-SHA|Linux|localhost.localdomain|2.6.18-194.el5|#1SMP Fri Apr 2 14:58:14 EDT 2010|x86_64|/var/log/easd/127.0.0.1/root/root-1|2d9d111c565bd740bf05a06eb5f77fb1a79307d2||null|15221|2012-09-2519:27:19|2012-09-25 19:27:19

9、备份

数据库备份

sqlite3 /var/log/easd/db .dump >/var/log/easd/db.backup

二进制文件备份

mkdir -p /data/backup/sqlite

cd /var/log/easd

find . ! -name db |cpio -pdum  /data/backup/sqlite

10、数据恢复

数据库恢复

kill `cat /var/run/easd.pid`                #停止easd

sqlite3 /var/log/easd/db

sqlite> .read /var/log/easd/db.backup

sqlite> .quit

 二进制文件恢复

cd /data/backup/sqlite 

find . ! -name db | cpio -pdum/var/log/easd

转载请注明出处 www.anquange.com

你可能感兴趣的:(linux,服务端,客户端,监控,审计)