用户权限集中管理方案

1.创建用户

[root@greymouster ~]# for user in chuji001 chuji002 chuji003 net001 senior001 manager001
> do
> useradd $user
> echo "111111"|passwd --stdin $user
> done

2.创建5个开发人员属于phpers 和一个开发经理

[root@greymouster ~]# groupadd -g 999 phpers
[root@greymouster ~]# for n in `seq 5`
> do
> useradd -g phpers php00$n
> echo "111111" |passwd --stdin php00$n
> done
[root@greymouster ~]# for user in kaifamanager001 seniorphpers
> do 
> useradd $user
> echo "111111"|passwd --stdin $user
> done

3.给用户添加权限

[root@greymouster ~]# visudo
#在末尾处添加如下：

##Cmnd_Alias by greymouster##2017

Cmnd_Alias CY_CMD_1 = /usr/bin/free,/usr/bin/iostat,/usr/bin/top,/bin/hostname,
/sbin/ifconfig,

Cmnd_Alias GY_CMD_1 = /usr/bin/free,/usr/bin/iostat,/usr/bin/top,/bin/hostname,
/sbin/ifconfig,/bin/netstat,/sbin/route,/sbin/iptables,/etc/init.d/network,/bin/nice,
/bin/kill,/usr/bin/kill,/usr/bin/killall,/bin/rpm,/usr/bin/up2date,/usr/bin/yum,
/sbin/fdisk,/sbin/sfdisk,/sbin/parted,/sbin/partprobe,/bin/mount,/bin/umount

Cmnd_Alias CK_CMD_1 = /usr/bin/tail /app/log*,/bin/grep /app/log*,/bin/cat,/bin/ls

Cmnd_Alias GK_CMD_1 = /sbin/service,/sbin/chkconfig,/bin/tail /app/log*,/bin/cat,
/bin/grep /app/log*,/bin/ls,/bin/sh ~/scripts/deploy.sh

Cmnd_Alias GW_CMD_1 = /sbin/route,/sbin/ifconfig,/bin/ping,/sbin/dhclient,

/usr/bin/net,/sbin/iptables,/usr/bin/rfcomm,/usr/bin/wvdial,/sbin/iwconfig,/sbin/mii-tool,/bin/cat

/var/log/*

##User_Alias by greymouster##2017
User_Alias CHUJIADMINS = chuji001,chuji002,chuji003
User_Alias GWNETADMINS = net001
User_Alias CHUJI_KAIFA = %phpers

##Runas_Alias by greymouster##2017
Runas_Alias OP=root

#pri config
senior001 ALL=(OP) GY_CMD_1
manager001 ALL=(ALL) NOPASSWD:ALL
kaifamanager001 ALL=(ALL) ALL, /usr/bin/passwd [A-Za-z]*,!/usr/bin/passwd root，
!/usr/sbin/visudo,!/usr/bin/vi *sudoer*
seniorphpers ALL=(OP) GK_CMD_1
CHUJIADMINS ALL=(OP) CY_CMD_1
GWNETADMINS ALL=(OP) GW_CMD_1
CHUJI_KAIFA ALL=(OP) CK_CMD_1

4.测试

[root@greymouster ~]# tail -10 /etc/passwd
net001:x:506:506::/home/net001:/bin/bash
senior001:x:507:507::/home/senior001:/bin/bash
manager001:x:508:508::/home/manager001:/bin/bash
php001:x:509:999::/home/php001:/bin/bash
php002:x:510:999::/home/php002:/bin/bash
php003:x:511:999::/home/php003:/bin/bash
php004:x:512:999::/home/php004:/bin/bash
php005:x:513:999::/home/php005:/bin/bash
kaifamanager001:x:514:514::/home/kaifamanager001:/bin/bash
seniorphpers:x:515:515::/home/seniorphpers:/bin/bash

[root@greymouster ~]# su - chuji001
[chuji001@greymouster ~]$ whoami
chuji001
[chuji001@greymouster ~]$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for chuji001: 
匹配此主机上 chuji001 的默认条目：
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
    LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
    LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
    LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin:/bin:/usr/sbin:/usr/bin

用户 chuji001 可以在该主机上运行以下命令：
    (root) /usr/bin/free, /usr/bin/iostat, /usr/bin/top, /bin/hostname, /sbin/ifconfig
[chuji001@greymouster ~]$ useradd kkk
-bash: /usr/sbin/useradd: 权限不够

[chuji001@greymouster ~]$ sudo hostname
greymouster

 5.通过sudo和syslog配合实现对所有用户进行日志审计并将记录集中管理

 1）安装sudo命令.syslog服务（centos6.4为rsyslog服务）

[root@greymouster ~]# rpm -qa|egrep "sudo|rsyslog"
sudo-1.8.6p3-12.el6.x86_64
rsyslog-5.8.10-8.el6.x86_64

//如果没有安装则执行下面的命令
yum install sudo rsyslog -y

2)配置/etc/sudoers

[root@greymouster ~]# echo "Defaults     logfile=/var/log/sudo.log">>/etc/sudoers
[root@greymouster ~]# tail -1 /etc/sudoers
Defaults     logfile=/var/log/sudo.log

  [root@greymouster ~]# visudo -c
  /etc/sudoers：解析正确

3)配置系统日志/etc/rsyslog.conf

[root@greymouster ~]# echo 'local2.debug    /var/log/sudo.log' >> /etc/rsyslog.conf
[root@greymouster ~]# /etc/init.d/rsyslog restart
关闭系统日志记录器：                                       [确定]
启动系统日志记录器：                                       [确定]

  [root@greymouster ~]# ll /var/log/sudo.log
   -rw-------. 1 root root 0 3月 28 01:50 /var/log/sudo.log
  [root@greymouster ~]#

4)测试

[root@greymouster ~]# su - chuji001
[chuji001@greymouster ~]$ sudo -l
[chuji001@greymouster ~]$ sudo useradd kkk
//切换到root下
[root@greymouster ~]# cat /var/log/sudo.log
Mar 28 01:54:28 : chuji001 : TTY=pts/0 ; PWD=/home/chuji001 ; USER=root ;
    COMMAND=list
Mar 28 01:54:44 : chuji001 : 命令禁止使用 ; TTY=pts/0 ; PWD=/home/chuji001 ;
    USER=root ; COMMAND=/usr/sbin/useradd kkk

       日志收集解决方案 stom,flume,scribe,logstash