思路:sudo 配合syslog 服务,进行日志审计
具体方法:
- 安装sudo命令,rsyslog服务(centos6.4)
注意:默认情况下,centos5.8系统中已安装上sudo和syslog服务
检查是否安装好,具体操作如下:
[[email protected] ~]# rpm -qa |egrep "sudo|rsyslog"
rsyslog-5.8.10-8.el6.i686
sudo-1.8.6p3-15.el6.i686
如果没有安装,则有yum进行安装:
[[email protected] ~]# yum install sudo rsyslog -y
- 配置/etc/sudoers
[[email protected] ~]# echo "Defaults logfile=/var/log/sudo.log">>/etc/sudoers
[[email protected] ~]# visudo -c
visudo: Warning: unused User_Alias CHUJI_KAIFA
visudo: Warning: unused Cmnd_Alias CK_CMD_1
/etc/sudoers: parsed OK
3.查看用户可以使用的命令
[[email protected] ~]# su - chuji1
[[email protected] ~]$ sudo -l
[sudo] password for chuji1:
Matching Defaults entries for chuji1 on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE
INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, logfile=/var/log/sudo.log
User chuji1 may run the following commands on this host:
(root) /usr/bin/free, /usr/bin/iostat, /usr/bin/top, /bin/hostname, /sbin/ifconfig, /bin/nestat,
/sbin/route
4.执行sudo ls
[[email protected] ~]$ sudo ls
Sorry, user chuji1 is not allowed to execute ‘/bin/ls‘ as root on oldboy.
5.查看日志文件/var/log/sudo.log
[[email protected] ~]$ logout
[[email protected] ~]# tail -1 /var/log/sudo.log
USER=root ; COMMAND=/bin/ls