linux日志审计项目案例实战(生产环境日志审计项目解决方案)

所谓日志审计,就是记录所有系统及相关用户行为的信息,并且可以自动分析、处理、展示(包括文本或者录像)

推荐方法:sudo配合syslog服务,进行日志审计(信息较少,效果不错)

1.安装sudo命令、syslog服务(centos6.4或以上为rsyslog服务)

[[email protected]_back ~]#rpm -qa "sudo|syslog"   查询系统是否已安装sudo、syslog程序

rsyslog-5.8.10-8.el6.x86_64

sudo-1.8.6p3-15.el6.x86_64

[[email protected]_back ~]#rpm -qa|egrep "sudo|syslog"

rsyslog-5.8.10-8.el6.x86_64

sudo-1.8.6p3-15.el6.x86_64

如果没有安装,则用yum安装

2.配置/etc/sudoers

增加配置“Defaults    logfile=/var/log/sudo.log”到/etc/sudoers中,注意:不包含引号

[[email protected]_back ~]#echo "Defaults    logfile=/var/log/sudo.log">>/etc/sudoers

[[email protected]_back ~]#tail /etc/sudoers

## Allows members of the users group to mount and unmount the

## cdrom as root

# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system

# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)

#includedir /etc/sudoers.d

Defaults    logfile=/var/log/sudo.log

[[email protected]_back ~]#tail -1 /etc/sudoers

Defaults    logfile=/var/log/sudo.log

[[email protected]_back ~]#visudo -c  检查sudoers文件语法

/etc/sudoers: parsed OK

3.配置系统日志/etc/syslog.conf

增加配置local2.debug到/etc/syslog.conf中(Centos5.8中)

[[email protected]_back ~]#echo "local2.debug   /var/log/sudo.log">>/etc/syslog.conf

[[email protected]_back ~]#tail -1 /etc/syslog.conf

local2.debug   /var/log/sudo.log

提示:如果是Centos6.4 路径为/etc/rsyslog.conf

[[email protected]_back ~]#echo "local2.debug   /var/log/sudo.log">>/etc/rsyslog.conf

[[email protected]_back ~]#tail -1 /etc/rsyslog.conf

local2.debug   /var/log/sudo.log

4.重启syslog或rsyslog内核日志记录器

/etc/init.d/syslog restart(Centos5.8)

/etc/init.d/rsyslog restart(Centos6.4)

[[email protected]_back ~]#/etc/init.d/rsyslog restart

Shutting down system logger:                          [  OK  ]

Starting system logger:                               [  OK  ]

[[email protected]_back ~]#ll /var/log/sudo.log

-rw------- 1 root root 0 Jun 23 23:17 /var/log/sudo.log

5.测试sudo日志审计配置结果

[[email protected]_back ~]#whoami

root

[[email protected]_back ~]#su - ci001

-bash: warning: setlocale: LC_CTYPE: cannot change locale (en): No such file or directory

-bash: warning: setlocale: LC_COLLATE: cannot change locale (en): No such file or directory

-bash: warning: setlocale: LC_MESSAGES: cannot change locale (en): No such file or directory

-bash: warning: setlocale: LC_NUMERIC: cannot change locale (en): No such file or directory

-bash: warning: setlocale: LC_TIME: cannot change locale (en): No such file or directory

welcome to oldboy linux training from /etc/profile.d

[[email protected]_back ~]$ sudo -l

[sudo] password for ci001:

Sorry, user ci001 may not run sudo on nginx_back.

[[email protected]_back ~]$ sudo useradd dddd

[sudo] password for ci001:

ci001 is not in the sudoers file.  This incident will be reported.

[[email protected]_back ~]$ logout

[[email protected]_back ~]#ll /var/log/sudo.log

-rw------- 1 root root 232 Jun 23 23:21 /var/log/sudo.log

[[email protected]_back ~]#cat  /var/log/sudo.log

Jun 23 23:20:44 : ci001 : command not allowed ; TTY=pts/0 ; PWD=/home/ci001 ;

USER=root ; COMMAND=list

Jun 23 23:21:17 : ci001 : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/ci001 ;

USER=root ; COMMAND=/usr/sbin/useradd dddd

[[email protected]_back ~]#su - php001

-bash: warning: setlocale: LC_CTYPE: cannot change locale (en): No such file or directory

-bash: warning: setlocale: LC_COLLATE: cannot change locale (en): No such file or directory

-bash: warning: setlocale: LC_MESSAGES: cannot change locale (en): No such file or directory

-bash: warning: setlocale: LC_NUMERIC: cannot change locale (en): No such file or directory

-bash: warning: setlocale: LC_TIME: cannot change locale (en): No such file or directory

welcome to oldboy linux training from /etc/profile.d

[[email protected]_back ~]$ whoami

php001

[[email protected]_back ~]$ sudo su -

[sudo] password for php001:

Sorry, try again.

[sudo] password for php001:

php001 is not in the sudoers file.  This incident will be reported.

[[email protected]_back ~]$ sudo echo "php001 ALL=(ALL) NOPASSWD:ALL">>/etc/sudoers

-bash: /etc/sudoers: Permission denied

[[email protected]_back ~]$ sudo vi /etc/sudoers

[sudo] password for php001:

php001 is not in the sudoers file.  This incident will be reported.

[[email protected]_back ~]$ sudo visudo

[sudo] password for php001:

php001 is not in the sudoers file.  This incident will be reported.

[[email protected]_back ~]$ logout

[[email protected]_back ~]#cat  /var/log/sudo.log

Jun 23 23:20:44 : ci001 : command not allowed ; TTY=pts/0 ; PWD=/home/ci001 ;

USER=root ; COMMAND=list

Jun 23 23:21:17 : ci001 : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/ci001 ;

USER=root ; COMMAND=/usr/sbin/useradd dddd

Jun 23 23:26:56 : php001 : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/php001 ;

USER=root ; COMMAND=/bin/su -

Jun 23 23:28:55 : php001 : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/php001 ;

USER=root ; COMMAND=/bin/vi /etc/sudoers

Jun 23 23:29:18 : php001 : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/php001 ;

USER=root ; COMMAND=/usr/sbin/visudo

6.日志集中管理

1)rsync+inotify或定时任务+rsync,推到日志管理服务器上,10.0.0.7_20120309.sudo.log

2)syslog服务来处理

[[email protected]~]#echo "10.0.2.164 logserver">>/etc/hosts

#日志服务器地址

[[email protected]~]#echo "*.info  @logserver">>/etc/syslog.conf<<====适合所有日志推走

3)日志收集解决方案scribe、Flume、logstash、stom

时间: 2024-11-02 23:24:08

linux日志审计项目案例实战(生产环境日志审计项目解决方案)的相关文章

vue项目打包部署生产环境

vue项目打包部署生产环境 打包部署生产环境之前需要修改配置文件: 修改一:build > utils.js  (修改publicPath:"../../" , 这样写是处理打包后找不到静态文件的问题) 修改二:config > index.js (修改assetsPublicPath:'./' ,修改目的是为了解决js找不到的问题) 两个文件修改完成之后,运行命令:npm run build 打包直接访问dist文件夹中的index.html即可. 原文地址:https:

.Net Core Linux centos7行—发布程序到生产环境

实验demo现在需要发布到生产环境,发现在发布的时候要考虑到不一致的几个地方. 1.各类配置文件线下,线上不一致. 2.绑定的url不一致,可能是域名不一致,也可能是schema不一致(http,https) ? ? 配置文件的不一致问题,可以使用环境配置来解决.系统默认定义了3个:Development, Staging, Production appsettings.json 开发:appsettings.Development.json 线上:appsettings.Production.

精准测试之项目案例实战大剖析

一.        前言测试是保证产品质量的关键环节,不论是从开发人员开始的单元测试,集成测试,到测试人员的系统测试,产品的需求测试,客户的验收测试,都是为了保证产品能够更健壮的在市场上服务于用户,但是测试的整个工作和过程并不像开发的工作一样有一个产品的产出,所以更大程度上增加了对测试工作质量的考核,也就造成了对产品测试完成后无法有一个可靠的依据去判断是否能够保证产品在市场中稳定运行,测试过程中也必然存在着在各种各样的问题和困难.在传统的测试中,测试后期往往会出现如下几个问题:1.       

linux iptables常用命令之配置生产环境iptables及优化

在了解iptables的详细原理之前,我们先来看下如何使用iptables,以终为始,有可能会让你对iptables了解更深 所以接下来我们以配置一个生产环境下的iptables为例来讲讲它的常用命令 第一步:清空当前的所有规则和计数 iptables -F #清空所有的防火墙规则 iptables -X #删除用户自定义的空链 iptables -Z #清空计数 第二步:配置允许ssh端口连接 iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport

实战生产环境vCenter HA配置(VCSA6.5)

官方vsphere6.5 文档中心镇楼: http://pubs.vmware.com/vsphere-65/index.jsp#com.vmware.vsphere.avail.doc/GUID-4A626993-A829-495C-9659-F64BA8B560BD.html vCenter High Availability (vCenter HA) 可防止 vCenter Server Appliance 发生主机和硬件故障.修补 vCenter Server Appliance 时,解

Java由浅入深开发企业级电商项目 大牛实战开发电商后台项目实战视频教程

第1章 课程介绍(实战本项目需具备Java,SSM,Linux等基础) 本章详细介绍Java服务端课程的内容,然后还介绍下课程安排,最后会讲解一下高大上的架构是如何一步一步从一台服务器演变到高性能.高并发.高可用架构的过程并讲解在这过程中大型架构演进思想以及代码演进细节. 第2章 开发环境安装与配置讲解.实操(linux平台[推荐]或windows平台) 考虑到学习这门课程的同学自己的电脑系统有的可能是Linux的,有的可能是Windows的,为了降低大家在搭建环境这块的难度和需要避免的坑,本章

从零构建vue项目(一)--搭建node环境,拉取项目模板

本文是基于vuecli2搭建的项目. 1. 下载安装nodejs     地址:https://nodejs.org/en/download/ 选择安装版windows .msi, 不要选择压缩版 下载完成后,下一步-->下一步-->安装完成 npm:  node pageage mangemen node.js的包管理器, 集成到node.js中了. 验证node是否安装成功: 打开命令行(windows)或终端(mac),在命令行(终端)中输入: node -v 如果提示出版本信息则说明n

生产环境日志审计解决方案

思路:sudo 配合syslog 服务,进行日志审计 具体方法: 安装sudo命令,rsyslog服务(centos6.4) 注意:默认情况下,centos5.8系统中已安装上sudo和syslog服务 检查是否安装好,具体操作如下: [[email protected] ~]# rpm -qa |egrep "sudo|rsyslog" rsyslog-5.8.10-8.el6.i686 sudo-1.8.6p3-15.el6.i686 如果没有安装,则有yum进行安装: [[ema

Hadoop hive sqoop zookeeper hbase生产环境日志统计应用案例(Hive篇)

3.Hive安装配置 3.1安装MySQL 在datanode5上安装MySQL # yum -y installmysql-server mysql # mysql mysql> grant all privileges on *.* [email protected]'10.40.214.%' identified by "hive"; mysql> flush privileges; 3.2安装hive # tar -zxf apache-hive-0.13.1-bi