Linux日志审计项目案例实战（生产环境日志审计项目解决方案）

共计 5197 个字符，预计需要花费 13 分钟才能阅读完成。

所谓日志审计，就是记录所有系统及相关用户行为的信息，并且可以自动分析、处理、展示（包括文本或者录像）

推荐方法：sudo 配合 syslog 服务，进行日志审计（信息较少，效果不错）

1. 安装 sudo 命令、syslog 服务（CentOS6.4 或以上为 rsyslog 服务）

[root@nginx_back ~]#rpm -qa “sudo|syslog”  查询系统是否已安装 sudo、syslog 程序

rsyslog-5.8.10-8.el6.x86_64
sudo-1.8.6p3-15.el6.x86_64
[root@nginx_back ~]#rpm -qa|egrep “sudo|syslog”
rsyslog-5.8.10-8.el6.x86_64
sudo-1.8.6p3-15.el6.x86_64

如果没有安装，则用 yum 安装

2. 配置 /etc/sudoers

增加配置“Defaults    logfile=/var/log/sudo.log”到 /etc/sudoers 中，注意：不包含引号

[root@nginx_back ~]#echo “Defaults    logfile=/var/log/sudo.log”>>/etc/sudoers

[root@nginx_back ~]#tail /etc/sudoers

## Allows members of the users group to mount and unmount the
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
Defaults    logfile=/var/log/sudo.log

[root@nginx_back ~]#tail -1 /etc/sudoers
Defaults    logfile=/var/log/sudo.log[root@nginx_back ~]#visudo -c  检查 sudoers 文件语法

/etc/sudoers: parsed OK

3. 配置系统日志 /etc/syslog.conf

增加配置 local2.debug 到 /etc/syslog.conf 中（Centos5.8 中）

[root@nginx_back ~]#echo “local2.debug  /var/log/sudo.log”>>/etc/syslog.conf

[root@nginx_back ~]#tail -1 /etc/syslog.conf

local2.debug  /var/log/sudo.log

提示：如果是 Centos6.4 路径为 /etc/rsyslog.conf

[root@nginx_back ~]#echo “local2.debug  /var/log/sudo.log”>>/etc/rsyslog.conf

[root@nginx_back ~]#tail -1 /etc/rsyslog.conf

local2.debug  /var/log/sudo.log

4. 重启 syslog 或 rsyslog 内核日志记录器

/etc/init.d/syslog restart(Centos5.8)

/etc/init.d/rsyslog restart(Centos6.4)

[root@nginx_back ~]#/etc/init.d/rsyslog restart

Shutting down system logger:                          [OK]

Starting system logger:                              [OK]

[root@nginx_back ~]#ll /var/log/sudo.log

-rw——- 1 root root 0 Jun 23 23:17 /var/log/sudo.log

5. 测试 sudo 日志审计配置结果

[root@nginx_back ~]#whoami
root
[root@nginx_back ~]#su – ci001
-bash: warning: setlocale: LC_CTYPE: cannot change locale (en): No such file or directory
-bash: warning: setlocale: LC_COLLATE: cannot change locale (en): No such file or directory
-bash: warning: setlocale: LC_MESSAGES: cannot change locale (en): No such file or directory
-bash: warning: setlocale: LC_NUMERIC: cannot change locale (en): No such file or directory
-bash: warning: setlocale: LC_TIME: cannot change locale (en): No such file or directory
welcome to oldboy linux training from /etc/profile.d
[ci001@nginx_back ~]$ sudo -l
[sudo] password for ci001:
Sorry, user ci001 may not run sudo on nginx_back.
[ci001@nginx_back ~]$ sudo useradd dddd
[sudo] password for ci001:
ci001 is not in the sudoers file.  This incident will be reported.
[ci001@nginx_back ~]$ logout
[root@nginx_back ~]#ll /var/log/sudo.log
-rw——- 1 root root 232 Jun 23 23:21 /var/log/sudo.log
[root@nginx_back ~]#cat  /var/log/sudo.log
Jun 23 23:20:44 : ci001 : command not allowed ; TTY=pts/0 ; PWD=/home/ci001 ;
USER=root ; COMMAND=list
Jun 23 23:21:17 : ci001 : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/ci001 ;
USER=root ; COMMAND=/usr/sbin/useradd dddd
[root@nginx_back ~]#su – php001
-bash: warning: setlocale: LC_CTYPE: cannot change locale (en): No such file or directory
-bash: warning: setlocale: LC_COLLATE: cannot change locale (en): No such file or directory
-bash: warning: setlocale: LC_MESSAGES: cannot change locale (en): No such file or directory
-bash: warning: setlocale: LC_NUMERIC: cannot change locale (en): No such file or directory
-bash: warning: setlocale: LC_TIME: cannot change locale (en): No such file or directory
welcome to oldboy linux training from /etc/profile.d
[php001@nginx_back ~]$ whoami
php001
[php001@nginx_back ~]$ sudo su –
[sudo] password for php001:
Sorry, try again.
[sudo] password for php001:
php001 is not in the sudoers file.  This incident will be reported.
[php001@nginx_back ~]$ sudo echo “php001 ALL=(ALL) NOPASSWD:ALL”>>/etc/sudoers
-bash: /etc/sudoers: Permission denied
[php001@nginx_back ~]$ sudo vi /etc/sudoers
[sudo] password for php001:
php001 is not in the sudoers file.  This incident will be reported.
[php001@nginx_back ~]$ sudo visudo
[sudo] password for php001:
php001 is not in the sudoers file.  This incident will be reported.
[php001@nginx_back ~]$ logout
[root@nginx_back ~]#cat  /var/log/sudo.log
Jun 23 23:20:44 : ci001 : command not allowed ; TTY=pts/0 ; PWD=/home/ci001 ;
USER=root ; COMMAND=list
Jun 23 23:21:17 : ci001 : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/ci001 ;
USER=root ; COMMAND=/usr/sbin/useradd dddd
Jun 23 23:26:56 : php001 : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/php001 ;
USER=root ; COMMAND=/bin/su –
Jun 23 23:28:55 : php001 : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/php001 ;
USER=root ; COMMAND=/bin/vi /etc/sudoers
Jun 23 23:29:18 : php001 : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/php001 ;
USER=root ; COMMAND=/usr/sbin/visudo

6. 日志集中管理

1）rsync+inotify 或定时任务 +rsync, 推到日志管理服务器上，10.0.0.7_20120309.sudo.log

2)syslog 服务来处理

[root@MySQL-A~]#echo “10.0.2.164 logserver”>>/etc/hosts

# 日志服务器地址

[root@MySQL-A~]#echo “*.info  @logserver”>>/etc/syslog.conf<<==== 适合所有日志推走

3）日志收集解决方案 scribe、Flume、logstash、stom

————————————– 分割线 ————————————–

CentOS 上配置 rsyslog 客户端用以远程记录日志  http://www.linuxidc.com/Linux/2015-02/112989.htm

CentOS 6.3 下利用 Rsyslog+LogAnalyzer+MySQL 部署日志服务器 http://www.linuxidc.com/Linux/2013-07/86956.htm

使用 rsyslog mysql 和 logAnalyzer 的日志服务器 http://www.linuxidc.com/Linux/2012-09/70717.htm

Rsyslog 配置及使用教程  http://www.linuxidc.com/Linux/2015-02/113614.htm

RHEL5.4 部署中央日志服务器之 rsyslog+loganalyzer  http://www.linuxidc.com/Linux/2010-12/30801.htm

————————————– 分割线 ————————————–

Rsyslog 的详细介绍 ：请点这里
Rsyslog 的下载地址 ：请点这里

本文永久更新链接地址 ：http://www.linuxidc.com/Linux/2015-07/120501.htm