-
打赏
jQuery火箭图标返回顶部代码</h1>
<div style="border: 1px solid #dfdfdf;border-top:none;"></div>
<div style=" height: 200px; overflow:hidden;">
<span class="pre-scrollable"><div id="cnblogs_post_body" class="blogpost-body">
<blockquote>
<p><span style="font-family: 'Microsoft YaHei';"> 工作中我们常常遇到,有的员工不安于被分配的权限,老是想sudo echo "ziji" /usr/bin/visudo NOPASSWD:ALL来进行提权,造成误删了数据库某条重要的数据,或者执行了一条命令对线上生产造成了严重的影响,部门老大又苦于找不到造成这种现象的操作者,CTO对你们部门直接扣除绩效,这样你们集体成了背锅侠。。。为了记录员工做的违规操作行为,所以就有了以下的方案。</span><br /><span style="font-family: 'Microsoft YaHei';"> 我们今天要学习的是:sudo日志审计,专门对使用sudo命令的系统用户记录其执行的命令相关信息,所谓日志审计,就是记录所有系统及相关用户行为的信息,并且可以自动分析,处理,展示(包括文本或着录像)</span></p>
</blockquote>
<h2><span style="font-family: 'Microsoft YaHei';"><span style="font-size: 14px;">一)生产环境日志审计解决方案: </span> </span></h2>
<blockquote>
<p><span style="font-family: 'Microsoft YaHei';">通过环境变量命令及syslog服务进行全部日志审计(信息太大,不推荐)</span></p>
<p><span style="font-family: 'Microsoft YaHei';">sudo配合syslog服务,进行日志审计(信息较少,效果不错)</span></p>
<p><span style="font-family: 'Microsoft YaHei';">在bash解释器程序里嵌入一个监视器,让所有被审计的系统用户使用修改过的增加了监视器的特殊bash程序作为解释程序。</span></p>
<p><span style="font-family: 'Microsoft YaHei';">齐治的堡垒机:商业产品</span></p>
</blockquote>
<h2><span style="font-family: 'Microsoft YaHei'; font-size: 14px;">二)配置sudo日志审计</span></h2>
<p><span style="font-family: 'Microsoft YaHei';">说明:所谓sudo命令日志审计,并不记录普通用户的普通操作,而是记录,那些执行sudo命令的用户的操作。</span></p>
<h3><span style="font-family: 'Microsoft YaHei'; font-size: 13px;">1、安装sudo命令,rsyslog服务</span></h3>
<div class="cnblogs_code">
<pre><span style="font-family: 'Microsoft YaHei';"><span style="color: #008080;user-select:none;">1</span> [root@s-<span style="color: #800080;">28</span> /]# rpm -qa|grep sudo #要是没安装执行yum install sudo -<span style="color: #000000;">y
</span><span style="color: #008080;user-select:none;">2</span> sudo-<span style="color: #800080;">1.8</span>.19p2-<span style="color: #800080;">13</span><span style="color: #000000;">.el7.x86_64
</span><span style="color: #008080;user-select:none;">3</span> [root@s-<span style="color: #800080;">28</span> /]# rpm -qa|grep rsyslog #要是没安装执行yum install rsyslog -<span style="color: #000000;">y
</span><span style="color: #008080;user-select:none;">4</span> rsyslog-<span style="color: #800080;">8.24</span>.<span style="color: #800080;">0</span>-<span style="color: #800080;">16</span><span style="color: #000000;">.el7.x86_64
</span><span style="color: #008080;user-select:none;">5</span> [root@s-<span style="color: #800080;">28</span> /]# </span></pre>
</div>
<h3><span style="font-family: 'Microsoft YaHei'; font-size: 13px;">2、配置服务</span></h3>
<p><span style="font-family: 'Microsoft YaHei'; font-size: 13px;">2.1配置系统日志/etc/rsyslog.conf,增加配置local.debug到/etc/rsyslog.conf中</span></p>
<div class="cnblogs_code">
<pre><span style="color: #008080;user-select:none;">1</span> [root@s-<span style="color: #800080;">28</span> /]# cat /<span style="color: #0000ff;">var</span>/log/ #查看日志文件是否存在没有就创建mkdir -p /<span style="color: #0000ff;">var</span>/<span style="color: #000000;">log
</span><span style="color: #008080;user-select:none;">2</span> cat: /<span style="color: #0000ff;">var</span>/log/<span style="color: #000000;">: Is a directory
</span><span style="color: #008080;user-select:none;">3</span> [root@s-<span style="color: #800080;">28</span> /]# cat /etc/redhat-<span style="color: #000000;">release
</span><span style="color: #008080;user-select:none;">4</span> CentOS Linux release <span style="color: #800080;">7.5</span>.<span style="color: #800080;">1804</span><span style="color: #000000;"> (Core)
</span><span style="color: #008080;user-select:none;">5</span> [root@s-<span style="color: #800080;">28</span> /]# uname -<span style="color: #000000;">r
</span><span style="color: #008080;user-select:none;">6</span> <span style="color: #800080;">3.10</span>.<span style="color: #800080;">0</span>-<span style="color: #800080;">862</span><span style="color: #000000;">.el7.x86_64
</span><span style="color: #008080;user-select:none;">7</span> [root@s-<span style="color: #800080;">28</span> /]# tail -<span style="color: #800080;">1</span> /etc/rsyslog.conf #没有就执行echo <span style="color: #800000;">"</span><span style="color: #800000;">local.debug /var/log/sudo.log</span><span style="color: #800000;">"</span>>>/etc/<span style="color: #000000;">rsyslog.conf
</span><span style="color: #008080;user-select:none;">8</span> local.debug /<span style="color: #0000ff;">var</span>/log/<span style="color: #000000;">sudo.log
</span><span style="color: #008080;user-select:none;">9</span> [root@s-<span style="color: #800080;">28</span> /]# </pre>
</div>
<p>2.2配置/etc/sudoers,<span style="font-family: 'Microsoft YaHei';">增加配置 “Defaults logfile=/var/log/sudo.log” 到/etc/sudoers中,注意:不包含引号。</span></p>
<div class="cnblogs_code">
<pre><span style="color: #008080;user-select:none;">1</span> [root@s-<span style="color: #800080;">28</span> /]# echo <span style="color: #800000;">"</span><span style="color: #800000;">Defaults logfile=/var/log/sudo.log</span><span style="color: #800000;">"</span>>>/etc/<span style="color: #000000;">sudoers
</span><span style="color: #008080;user-select:none;">2</span> [root@s-<span style="color: #800080;">28</span> /]# tail -<span style="color: #800080;">1</span> /etc/<span style="color: #000000;">sudoers
</span><span style="color: #008080;user-select:none;">3</span> Defaults logfile=/<span style="color: #0000ff;">var</span>/log/<span style="color: #000000;">sudo.log
</span><span style="color: #008080;user-select:none;">4</span> [root@s-<span style="color: #800080;">28</span> /]# visudo -<span style="color: #000000;">c
</span><span style="color: #008080;user-select:none;">5</span> /etc/<span style="color: #000000;">sudoers: parsed OK
</span><span style="color: #008080;user-select:none;">6</span> [root@s-<span style="color: #800080;">28</span> /]# </pre>
</div>
<h3><span style="font-family: 'Microsoft YaHei'; font-size: 13px;"> 3、重启syslog内核日志记录器(简单来说就是重启服务了)</span></h3>
<div class="cnblogs_code">
<pre><span style="color: #008080;user-select:none;">1</span> [root@s-<span style="color: #800080;">28</span> /<span style="color: #000000;">]# systemctl restart rsyslog
</span><span style="color: #008080;user-select:none;">2</span> [root@s-<span style="color: #800080;">28</span> /]# </pre>
</div>
<p><span style="font-family: 'Microsoft YaHei';"> 说到审计,有时候需要自定义审计规则,想了解的请参考下文哦:</span></p>
<p class="col-article-title J-articleTitle">CentOS 7上编写自定义系统审计规则</p>
</div>
</span>
</div>
<div style="text-align: center;">
<a href="https://www.cnblogs.com/liang-io/p/9617783.html" target="_blank" style="font-size: 16px;background-color: rgb(24, 144, 255); color: white;padding: 8px;padding-left: 30px;padding-right: 30px;border-radius: 2rem;">查看全文</a>
</div>
</li>
<div style="border: 1px solid #dfdfdf;border-top:none;"></div>
<li class="ul-li" style="padding-left:15px;padding-right: 15px;">
<b>相关阅读:</b><br>
<nobr>
<a href="metoy-p-4587084.html" target="_blank">Spring加载xsd引起的问题小记</a>
<br/><a href="metoy-p-4573880.html" target="_blank">kafka配置参数</a>
<br/><a href="metoy-p-4547693.html" target="_blank">nginx常见内部参数,错误总结</a>
<br/><a href="metoy-p-4486718.html" target="_blank">从毕业到现在的总结</a>
<br/><a href="metoy-p-4477095.html" target="_blank">storm坑之---传递对象</a>
<br/><a href="metoy-p-4470418.html" target="_blank">Java多线程读取大文件</a>
<br/><a href="cythia-p-8495341.html" target="_blank">webpack4.0.1安装问题及解决方法</a>
<br/><a href="cythia-p-8401785.html" target="_blank">git入门篇shell</a>
<br/><a href="cythia-p-6899858.html" target="_blank">less教程</a>
<br/><a href="cythia-p-6978323.html" target="_blank">原生js的ajax请求</a>
<br/> </nobr>
</li>
<div style="border: 1px solid #dfdfdf;border-top:none;"></div>
<li class="list-group-item from-a mb-2" style="margin:15px;">
原文地址:https://www.cnblogs.com/liang-io/p/9617783.html
</li>
</ul>
</div>
<!-- 右侧开始 -->
<div class="right-kd" style="margin: auto;margin: 0px;float: left;">
<ul class="right-kd" style="word-break:break-all;border: 1px solid #dfdfdf;border-radius: 3px 3px 3px 3px;padding: 0px;margin: 0px;">
<li class="ul-li-bg ul-li-title" aria-current="true" style="padding-left:15px;padding-right: 15px;">
最新文章
</li>
<li class="ul-li" style="padding-left:15px;padding-right:15px;">
<nobr>
<a href="ghc666-p-8485256.html" target="_blank">SVN的使用</a>
<br/><a href="ghc666-p-8483397.html" target="_blank">java.lang.TypeNotPresentException: Type org.eclipse.jetty.maven.plugin.JettyRunMojo not present的原因</a>
<br/><a href="ghc666-p-8444599.html" target="_blank">libevent的作用或者说是有哪些功能</a>
<br/><a href="ghc666-p-7542386.html" target="_blank">/.nav-tabs :是普通标签页 .nav-pills:胶囊式标签页 action ;默认的激活项,给<li>加默认显示的是哪个标签页内容 .nav是标签页的一个基类,给ul加 .nav-stacked: 垂直排列BootStrap</a>
<br/><a href="ghc666-p-7541922.html" target="_blank">HTML中的ul, ol,li , dl,dt, dd标签</a>
<br/><a href="ghc666-p-7541830.html" target="_blank">HTML中的Div Span label的区别</a>
<br/><a href="huangjinyong-p-11837392.html" target="_blank">Docker使用Dockerfile创建Centos(tomcat+jdk)镜像</a>
<br/><a href="huangjinyong-p-11834835.html" target="_blank">Linux CentOS7.x安装docker全过程</a>
<br/><a href="huangjinyong-p-11798414.html" target="_blank">http请求头出现provisional headers are shown</a>
<br/><a href="huangjinyong-p-11794057.html" target="_blank">Tomcat项目内存参数调优</a>
<br/> </nobr>
</li>
</ul>
<ul class="right-kd" style="word-break:break-all;border: 1px solid #dfdfdf;border-radius: 3px 3px 3px 3px;padding: 0px;margin-top: 10px;">
<li class="list-group-item ul-li-bg ul-li-title" aria-current="true" style="padding-left:15px;padding-right: 15px;">
热门文章
</li>
<li class="ul-li" style="padding-left:15px;padding-right: 15px;">
<nobr>
<a href="huangjinyong-p-11775113.html" target="_blank">Mybatis单个参数的if判断(针对异常:There is no getter for property..)------mybatis的内置对象</a>
<br/><a href="huangjinyong-p-11270790.html" target="_blank">Java代码性能优化总结</a>
<br/><a href="huangjinyong-p-11242070.html" target="_blank">最快速的办法解决MySQL数据量增大之后翻页慢问题</a>
<br/><a href="huangjinyong-p-11240522.html" target="_blank">忘记 MySQL 的 root 帐号密码该怎么办</a>
<br/><a href="huangjinyong-p-11234268.html" target="_blank">MyBatis-Plus-Generator配置</a>
<br/><a href="huangjinyong-p-11211996.html" target="_blank">AOP与Filter拦截请求打印日志实用例子</a>
<br/><a href="metoy-p-5110479.html" target="_blank">TCP滑动窗口机制</a>
<br/><a href="metoy-p-5106800.html" target="_blank">TCP三次握手和四次挥手状态变迁解析</a>
<br/><a href="metoy-p-5106735.html" target="_blank">TCP三次握手,四次挥手</a>
<br/><a href="metoy-p-4695364.html" target="_blank">CSS浮动文摘</a>
<br/> </nobr>
</li>
</ul>
</div>
</div>
</div>
<div style="clear: both;"></div>
<!-- 栅栏结束 -->
<div class="kd" style="margin: auto;">
<div style="font-size:0.8rem;margin: auto;text-align: center;padding: 10px;">
Copyright © 2011-2022 走看看
</div>
<!-- 引入底部 -->
<!-- 百度自动推送js -->
<script>
(function(){
var bp = document.createElement('script');
var curProtocol = window.location.protocol.split(':')[0];
if (curProtocol === 'https'){
bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
}
else{
bp.src = 'http://push.zhanzhang.baidu.com/push.js';
}
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(bp, s);
})();
</script>
<!-- 百度自动推送js -->
</div>
</div>
<script src="https://common.cnblogs.com/scripts/jquery-2.2.0.min.js"></script>
<script src="https://www.cnblogs.com/js/blog-common.min.js"></script>
<script src="http://common.cnblogs.com/script/encoder.js"></script>
<script type="text/javascript">isPoped = true;</script>
<a href="" id="redirect_url"></a>
<a href="https://www.cnblogs.com/liang-io/p/9617783.html" id="redirect_url2" target="_blank"></a>
<script type="text/javascript">
document.onclick = function()
{
if (!isPoped)
{
document.getElementById("redirect_url").click();
document.getElementById("redirect_url2").click();
isPoped = true;
}
}
</script>
</body>
</html>