码迷,mamicode.com
首页 > 其他好文 > 详细

生产环境日志审计解决方案

时间:2015-06-11 00:24:56      阅读:164      评论:0      收藏:0      [点我收藏+]

标签:解决方案   审计   

思路:sudo 配合syslog 服务,进行日志审计

具体方法:

  1. 安装sudo命令,rsyslog服务(centos6.4)

    注意:默认情况下,centos5.8系统中已安装上sudo和syslog服务


    检查是否安装好,具体操作如下:

    [root@oldboy ~]# rpm -qa |egrep "sudo|rsyslog"

    rsyslog-5.8.10-8.el6.i686

    sudo-1.8.6p3-15.el6.i686

    如果没有安装,则有yum进行安装:

    [root@oldboy ~]# yum install sudo rsyslog -y

  2. 配置/etc/sudoers

  [root@oldboy ~]# echo "Defaults       logfile=/var/log/sudo.log">>/etc/sudoers

  [root@oldboy ~]# visudo -c

  visudo: Warning: unused User_Alias CHUJI_KAIFA

  visudo: Warning: unused Cmnd_Alias CK_CMD_1

  /etc/sudoers: parsed OK

3.查看用户可以使用的命令

 [root@oldboy ~]# su - chuji1

  [chuji1@oldboy ~]$ sudo -l

  [sudo] password for chuji1: 

Matching Defaults entries for chuji1 on this host:

    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE

    INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",

    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY

    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET

    XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, logfile=/var/log/sudo.log


User chuji1 may run the following commands on this host:

    (root) /usr/bin/free, /usr/bin/iostat, /usr/bin/top, /bin/hostname, /sbin/ifconfig, /bin/nestat,

    /sbin/route

4.执行sudo ls

[chuji1@oldboy ~]$ sudo ls

Sorry, user chuji1 is not allowed to execute ‘/bin/ls‘ as root on oldboy.

5.查看日志文件/var/log/sudo.log

[chuji1@oldboy ~]$ logout

[root@oldboy ~]# tail -1 /var/log/sudo.log

    USER=root ; COMMAND=/bin/ls


生产环境日志审计解决方案

标签:解决方案   审计   

原文地址:http://youngboy.blog.51cto.com/10204563/1660565

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!