The whole network centralized audit log solution
sudo audit log and syslog sudo is achieved by fitting a log audit records and centralized management for all users
The whole network centralized audit log solution
1. Overview of audit logs, audit logs Why
Audit log is a record of all information systems and related user behavior, and can automatically analyze, process, display. When companies use sudo to put an end to the whole network improvements super root privileges after flooding, reduce the incidence of internal operational errors and security risks fundamentally. But after access control, need to be implemented for all users logging program, so that all operation and maintenance personnel and developers of all commands executed has been recorded to be investigated, so that it can eliminate safety hazards insiders fundamentally, because many major security in fact, accidents are happening from the inside. Because if the average user's operation records record, a huge amount of data, future inquiries is not easy. Furthermore, the average user will not jeopardize system security operation records, are some of the conventional view command, or rewrite their own file, and there is large need to audit, audit log only need to focus on right through sudo mention just fine. sudo logs and syslog audit by sudo with the realization of a log audit records and centralized management for all users.
2. sudo logs with rsyslog service audit steps
- Install sudo command, rsyslog service (Centos 6.4 or more for the rsyslog service)
[root@maiyat ~]# rpm -qa sudo
sudo-1.8.6p3-29.el6_9.x86_64
[root@maiyat ~]# rpm -qa rsyslog
rsyslog-5.8.10-10.el6_6.x86_64- Configuration / etc / sudoers file, add configuration "Defaults logfile = / var / log / sudolog" to / etc / sudoers in. Such as:
[root@maiyat ~]# echo "Defaults logfile=/var/log/sudolog" >>/etc/sudoers [root@maiyat ~]# tail -1 /etc/sudoers
Defaults logfile=/var/log/sudolog
[root@maiyat ~]# visudo -c
visudo: Warning: User_Alias `GY01' referenced but not defined
/etc/sudoers: parsed OK- Configuring the system log /etc/syslog.conf
increase in /etc/syslog.conf configured to local2.debug
[root@maiyat ~]# echo "local2.debug /var/log/sudolog" >>/etc/rsyslog.conf
[root@maiyat ~]# /etc/init.d/rsyslog restart
[root@maiyat ~]# ls -l /var/log/sudo.log
-rw-------. 1 root root 0 Jun 30 23:15 /var/log/sudo.log- Verify that the configuration is successful
[root@maiyat ~]# su - test
[test@maiyat ~]$ sudo passwd aaa
Changing password for user aaa.
New password:
BAD PASSWORD: it does not contain enough DIFFERENT characters
BAD PASSWORD: is a palindrome
Retype new password:
passwd: all authentication tokens updated successfully.
[test@maiyat ~]$ exit
[root@maiyat ~]# ls -l /var/log/sudo.log
-rw-------. 1 root root 98 Jun 30 23:30 /var/log/sudo.log
[root@maiyat ~]# cat /var/log/sudo.log
Jun 30 23:30:49 : test : TTY=pts/0 ; PWD=/home/test ; USER=root ;
COMMAND=/usr/bin/passwd aaa
[root@maiyat ~]# 3. To achieve centralized audit log of the whole network
3.1. Rsync with scheduled task, the sudo.log pushed to the log management server.
下面我们通过定时任务+rsync推送,我们目前审计的是maiyat主机,ip为192.168.50.2,我们的集中备份主机位backup主机,ip为192.168.50.4。
3.1.1 在backup和maiyat主机都安装rsync,如
maiyat主机
[root@maiyat script]# uname -m
x86_64
[root@maiyat script]# rpm -qa rsync
rsync-3.0.6-12.el6.x86_64
[root@maiyat script]# backup主机
[root@backup 192.168.50.2_2018-07-01]# uname -r
2.6.32-696.23.1.el6.x86_64
[root@backup 192.168.50.2_2018-07-01]# uname -m
x86_64
[root@backup 192.168.50.2_2018-07-01]# rpm -qa rsync
rsync-3.0.6-12.el6.x86_64
[root@backup 192.168.50.2_2018-07-01]# 3.1.2 在rsync服务端创建rsyncd.conf的配置文件,如
[root@backup 192.168.50.2_2018-07-01]# cat /etc/rsyncd.conf
# rsyncd-conf start
uid = rsync
gid = rsync
use chroot = no
max connections = 2000
timeout = 600
pid file= /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
log file = /var/log/rsyncd.log
ignore = errors
read only = false
list = false
hosts allow = 192.168.50.0/24
hosts deny = 0.0.0.0/32
auth users = rsync-backup
secrets file = /etc/rsync.password
#####################################
[backup]
comment = backup
path = /backup3.1.3 在rsync服务端创建与rsyncd.conf匹配的密码文件,以及rsync用户
[root@backup ~]# useradd rsync -M -s /sbin/nologin
[root@backup ~]# id rsync
uid=547(rsync) gid=547(rsync) groups=547(rsync)
[root@backup ~]# echo "rsync-backup:root" >/etc/rsync.password
[root@backup ~]# ls -l /etc/rsync.password
-rwxr-xr-x. 1 root root 18 May 21 06:23 /etc/rsync.password3.1.4 创建rsync服务端的备份目录,注意要和rsyncd.conf一致,并将备份目录权限给rsync用户,如果这步不赋予权限可能会出现认证错误。
[root@backup ~]# mkdir -p /backup
[root@backup ~]# chown -R rsync:rsync /backup
[root@backup ~]# ls -ld /backup/
drwxr-xr-x. 2 rsync rsync 4096 Jun 19 01:10 /backup/3.1.5 在客户端配置与服务端rsyncd.conf相匹配的密码文件,权限给600,并测试一下推送到服务端是否正常,如:
[root@maiyat ~]# echo "root" > /etc/rsync.password
[root@maiyat ~]# chmod 600 /etc/rsync.password
[root@maiyat ~]# ls -l /etc/rsync.password
-rw-------. 1 root root 5 Jul 1 00:06 /etc/rsync.password
[root@maiyat ~]# rsync -avz /var/log/sudo.log [email protected]::backup/ --password-file=/etc/rsync.password
sending incremental file list
sudo.log
sent 159 bytes received 27 bytes 372.00 bytes/sec
total size is 98 speedup is 0.533.1.6 在客户端推送正常后我们部署一个脚本和定时任务,定时完成推送sudo.log任务。如
[root@maiyat script]# vim sudo-bak.sh
#!/bin/bash
dir=`ifconfig eth0 |awk -F '[ :]+' 'NR==2 {print $4}'`
path=/backup
mkdir $path/$dir -p &&\
/bin/cp /var/log/sudo.log $path/$dir/sudo_log_$(date +%F) &&\
rsync -az $path [email protected]::backup/ --password-file=/etc/rsync.password
[root@maiyat script]# sh /service/script/sudo-bak.sh在rsync服务端查看
[root@backup backup]# cd backup/
[root@backup backup]# ls
192.168.50.2
[root@backup backup]# cd 192.168.50.2/
[root@backup 192.168.50.2]# ls -l
total 4
-rw-------. 1 rsync rsync 98 Jul 1 2018 sudo_log_2018-07-01
[root@backup 192.168.50.2]#在rsync客户端部署定时任务,我们一般凌晨3点进行推送,如:
[root@maiyat backup]# echo "0 3 * * * sh /service/script/sudo-bak.sh" >>/var/spool/cron/root
[root@maiyat backup]# crontab -l |grep "sudo"
0 3 * * * sh /service/script/sudo-bak.sh另外系统设置时间格式为:
date [MMDDhhmm[[CC]YY][.ss]
月 日 小时 分钟 年 .秒
[root@maiyat backup]# date 070102592018.55
Sun Jul 1 02:59:00 CST 2018
[root@maiyat backup]# 3.2 rsync配合inotify进行实时同步
3.2.1 在rsync客户端部署inotify,先必须查看一下系统内核是否支持inotify,如果存在以下3个文件就说明系统内核支持
[root@maiyat ~]# ls -l /proc/sys/fs/inotify/
total 0
-rw-r--r-- 1 root root 0 Jul 1 03:06 max_queued_events
-rw-r--r-- 1 root root 0 Jul 1 03:06 max_user_instances
-rw-r--r-- 1 root root 0 Jul 1 03:06 max_user_watches3.2.2 下载inotify源码包,并进行安装,如:
[root@maiyat ~]# tar -zxf inotify-tools-3.14.tar.gz
[root@maiyat ~]# cd inotify-tools-3.14/
[root@maiyat inotify-tools-3.14]# ./configure --prefix=/usr/local/inotify-tools-3.14/
[root@maiyat inotify-tools-3.14]# echo $?
0
[root@maiyat inotify-tools-3.14]#
[root@maiyat inotify-tools-3.14]# make && make install
[root@maiyat local]# ln -s /usr/local/inotify-tools-3.14/ /usr/local/inotify-tools3.2.3 在rsync客户端部署脚本,让它自动监听/var/log/sudo.log,如果有变化自动推送。
[root@maiyat script]# vim inotify.sh
#!/bin/bash
inotify=/usr/local/inotify-tools/bin/inotifywait
$inotify -mrq --format '%w%f' -e create,close_write,delete /var/log/sudo.log | while read file
do
cd / &&
rsync -az --delete /var/log/sudo.log [email protected]::backup/192.168.50.2/sudo.log --password-file=/etc/rsync.password
done3.2.4 在rsync客户端部署一个检查脚本,自动检查inotify有没有运行,如果没运行自动启动inotify
[root@maiyat script]# vi check-iotify.sh
#!/bin/bash
a=`ps -ef |grep inotify |grep -v "grep"|wc -l`
if [ $a -ne 0 ];then
exit 1;
else
sh /service/script/inotify.sh &
fi 3.2.5 在rsync客户端设置定时任务,每30分钟执行检查一次。并将inotify的脚本写入rc.local里,这样inotify开机就会启动,如果不小心被人kill掉,我们还是定时的核查脚本,当发现inotify被杀了以后,又会自动起来,如:
[root@maiyat script]# echo "*/30 * * * * sh /service/script/check-inotify.sh" >> /var/spool/cron/root
[root@maiyat script]# crontab -l |grep "check"
*/1 * * * * sh /service/script/check-inotify.sh
[root@maiyat script]#
[root@maiyat script]# echo "sh /service/script/inotify.sh &" >>/etc/rc.local
[root@maiyat script]# tail -1 /etc/rc.local
sh /service/script/inotify.sh &
[root@maiyat script]# 3.3 通过rsyslog服务来完成同步
因为是将本机的/var/log/sudolog 推送到远端的备份服务器,所以本机就是客户端,远端的服务器就属于rsyslog的服务端,这种方法不太推荐,因为推送的东西太多了,适合所有日志的推送,就选择这种,下面来介绍一下用法。
3.3.1 客户端先做域名解析,然后写入/etc/rsyslog.conf 配置文件中,然后重启rsyslog服务,如:
[root@maiyat ~]# echo "192.168.50.4 logserver" >>/etc/hosts
[root@maiyat ~]# tail -1 /etc/hosts
192.168.50.4 logserver
[root@maiyat ~]# echo "*.info @logserver" >> /etc/rsyslog.conf
[root@maiyat ~]# tail -1 /etc/rsyslog.conf
*.info @logserver
[root@maiyat ~]# /etc/init.d/rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: 3.3.2 服务端修改/etc/rsyslog.conf配置文件,启用udp和tcp模块 $ModLoad imudp $UDPServerRun 514 $ModLoad imtcp,如:
[root@backup ~]# egrep -v "#|^$" /etc/rsyslog.conf
####开启udp接收日志
$ModLoad imudp
$UDPServerRun 514
$template RemoteHost,"/data/syslog/%$YEAR%-%$MONTH%-%$DAY%/%FROMHOST-IP%.log"
*.* ?RemoteHost
& ~
###########开启udp接收日志
$ModLoad imtcp
$InputTCPServerRun 514
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#######启用/etc/rsyslog.d/*.conf目录下所有以.conf结尾的配置文件
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* /var/log/maillog
cron.* /var/log/cron
*.emerg *
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
#我们添加的客户端配置的sudo.log日志
local2.debug /var/log/sudo.log
[root@backup ~]# 3.3.3 重启服务端的rsyslog服务,并测试看看是否成功
[root@backup ~]# /etc/init.d/rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]客户端制作sudo日志
[root@maiyat ~]# su - test
[test@maiyat ~]$ sudo -l
[test@maiyat ~]$ sudo useradd bvbv
[test@maiyat ~]$ exit
logout
[root@maiyat ~]# 服务端验证结果:
[root@backup 2018-06-19]# cat 192.168.50.2.log
2018-07-01T06:23:21+08:00 maiyat sudo: test : TTY=pts/0 ; PWD=/home/test ; USER=root ; COMMAND=list
2018-07-01T06:23:30+08:00 maiyat sudo: test : TTY=pts/0 ; PWD=/home/test ; USER=root ; COMMAND=/usr/sbin/useradd bvbv
2018-07-01T06:23:30+08:00 maiyat useradd[3398]: new group: name=bvbv, GID=550
2018-07-01T06:23:30+08:00 maiyat useradd[3398]: new user: name=bvbv, UID=550, GID=550, home=/home/bvbv, shell=/bin/bash
2018-07-01T06:24:01+08:00 maiyat CROND[3409]: (root) CMD (sh /service/script/check-iotify.sh )
[root@backup 2018-06-19]# 结果验证没有问题,已经被审计到了,但是利用rsyslog审计方法虽然简单方便,但是它统计的日志是多个日志放在了一个文件里,造成了想看比较麻烦,而利用rsync推送可以把各个日志按主机名日期文件名的方式集体的推送到备份服务器中,这样实现的方式比较灵活。