Sudo+syslog log audit + login user operation statistics 02/25 Update SLTechnology News&Howtos

Sudo+syslog log audit + login user operation statistics

2025-02-25 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

1. Query whether sudo and syslog programs are installed in the system.

[root@shangke ~] # rpm-qa | egrep "sudo | syslog" rsyslog-5.8.10-10.el6_6.x86_64sudo-1.8.6p3-19.el6.x86_64 if not installed, install it with yum, yum install-y sudo syslog

2. Configuration / etc/sudoers

Add configuration "Defaults logfile=/var/log/sudo.log" to / etc/sudoers

[root@shangke ~] # echo "Defaults logfile=/var/log/sudo.log" > > / etc/sudoers [root@shangke ~] # tail-1 / etc/sudoers # # check whether the operation is successful Defaults logfile=/var/log/sudo.log [root@shangke ~] # visudo-c # check sudoers file syntax / etc/sudoers: parsed OK

3. Configure Syslog

Add configuration local2.debug to / etc/syslog.conf (in Centos5.8)

Add configuration local2.debug to / etc/rsyslog.conf (in Centos6.4)

[root@shangke ~] # echo "local2.debug / var/log/sudo.log" > > / etc/rsyslog.conf [root@shangke ~] # tail-1 / etc/rsyslog.conf # # check the configuration local2.debug / var/log/sudo.log

4. Restart the syslog or rsyslog kernel logger

[root@shangke ~] # / etc/init.d/rsyslog restart Shutting down system logger: [OK] Starting system logger: [OK]

5. Permission to view log directory

[root@shangke ~] # ll / var/log/sudo.log-rw- 1 root root 1148 Jan 31 16:05 / var/log/sudo.log

6. Test the sudo log audit configuration results

[root@shangke ~] # whoamiroot [root@shangke ~] # pwd/root [root@shangke ~] # useradd mzq [root@shangke ~] # vi / etc/sudoersmzq ALL= (ALL) ALL [root@shangke] # su-mzq [mzq@shangke ~] $sudo-lMatching Defaults entries for mzq on this host: requiretty,! visiblepw, always_set_home, env_reset, env_keep= "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+= "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Env_keep+= "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+= "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+= "LC_TIME LC_ALL LANGUAGE LINGUAS _ XKB_CHARSET XAUTHORITY", secure_path=/sbin\: / bin\: / usr/sbin\: / usr/bin, logfile=/var/log/sudo.logUser mzq may run the following commands on this host: (ALL) NOPASSWD: / bin/su, (ALL) / usr/bin/sudo (ALL) ALL [mzq@shangke ~] $su-Password: [root@shangke ~] # cat / var/log/sudo.log Jan 31 16:05:27: mzq: TTY=pts/0 PWD=/home/mzq; USER=root; COMMAND=/bin/cat / var/log/sudo.logJan 31 16:24:11: mzq: TTY=pts/0; PWD=/home/mzq; USER=root; COMMAND=listJan 31 16:25:09: mzq: TTY=pts/0; PWD=/home/mzq; USER=root; COMMAND=/bin/cat / var/log/sudo.log

7. Record the data of logged-in users

The / var/log/useraudit.log file records when the user was logged in, the source IP, and what commands were run on the system.

[root@shangke ~] # vim / etc/profile adds the following at the end: export HISTORY_FILE=/var/log/useraudit.logexport PROMPT_COMMAND=' {h = `history 1`; w = `who am i`; echo-e $(date "+% Y-%m-%d% H:%M:%S")-- $w-- $h } > > $HISTORY_FILE' then execute the command: [root@shangke ~] # touch / var/log/useraudit.log [root@shangke ~] # chmod 777 / var/log/useraudit.log [root@shangke ~] # chattr + a / var/log/useraudit.log [root@shangke ~] # cat / var/log/useraudit.log 2016-01-31 16:30:16-root pts/0 2016-01-31 16:21 (10.0.0.1)-15 su- 2016-01-31 16:30:18-root pts/0 2016-01-31 16:21 (10.0.0.1)-16 ls2016-01-31 16:30:22-root pts/0 2016-01-31 16:21 (10.0.0.1)-17 sudo ls2016-01-31 16:30:34-root pts/0 2016-01-31 16:21 (10.0.0.1)-18 cat / Var/log/sudo.log2016-01-31 16:30:46-root pts/0 2016-01-31 16:21 (10.0.0.1)-19 sudo cat / var/log/so2016-01-31 16:30:50-root pts/0 2016-01-31 16:21 (10.0.0.1)-20 sudo cat / var/log/sudo.log2016-01-31 16:31:09-root pts/0 2016-01 -31 16:21 (10.0.0.1)-- 21 rm-f oldboy12016-01-31 16:31:12-root pts/0 2016-01-31 16:21 (10.0.0.1)-22 sudo cat / var/log/sudo.log2016-01-31 16:32:04-root pts/0 2016-01-31 16:21 (10.0.0.1)-- 23 sodu cat / var/log/useraudit.log2016- 01-31 16:32:41-root pts/0 2016-01-31 16:21 (10.0.0.1)-24 cd / var/log/2016-01-31 16:32:43-root pts/0 2016-01-31 16:21 (10.0.0.1)-25 ls2016-01-31 16:33:05-root pts/0 2016-01-31 16:21 (10.0.0.1)-- 25 ls2016-01-31 16:33:08-root pts/0 2016-01-31 16:21 (10.0.0.1)-26 cd2016-01-31 16:33:10-root pts/0 2016-01-31 16:21 (10.0.0.1)-27 ls2016-01-31 16:33:18-root pts/0 2016-01-31 16:21 (10.0.0.1)-28 rm- F oldboy22016-01-31 16:33:23-root pts/0 2016-01-31 16:21 (10.0.0.1)-- 141su-mzq2016-01-31 16:33:40-root pts/0 2016-01-31 16:21 (10.0.0.1)-- 142cat / var/log/sudo.log2016-01-31 16:33:54-root pts/0 2016-01-31 16:21 (10.0.0) .1)-143FN / var/log/sudo.log | grep rm2016-01-31 16:34:01-root pts/0 2016-01-31 16:21 (10.0.0.1)-144cat / var/log/sudo.log | grep rm-f 2016-01-31 16:34:10-root pts/0 2016-01-31 16:21 (10.0.0.1)-- 145cat / var/log/sudo.log | grep "rm-f"

8. Centralized log management

1) rsync+inotify or scheduled task + rsync, push to the log management server, IP_date.sudo.log

2) syslog service to handle

[root@shangke ~] # echo "IP logserver" > / etc/hosts# log server address [root@shangke ~] # echo "* .info @ logserver" > > / etc/syslog.conf

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.