Shulou(Shulou.com)05/31 Report--

In this article, the editor introduces in detail "how to configure the sudo log audit of the Linux system", the content is detailed, the steps are clear, and the details are handled properly. I hope that this article "how to configure the sudo log audit of the Linux system" can help you solve your doubts.

1: the log audit scheme in the production environment is as follows:

1. Audit all operation logs of syslog. This method has a large amount of information and is inconvenient to view.

2. Sudo logs cooperate with syslog service for log audit.

3. Log audit of fortress machine

4. Bash installs a monitor to record user actions.

Second: configure sudo log audit

1. Install sudo and syslog services

[root@Centos ~] # rpm-qa | grep sudo

Sudo-1.8.6p3-24.el6.x86_64

[root@Centos ~] # rpm-qa | grep rsyslog

Rsyslog-5.8.10-10.el6_6.x86_64

Check to see if both services are installed, and if not, install them using the following command

Yum install sudo-y

Yum install rsyslog-y

Remarks: Centos 5.x is syslog,Centos 6.x is rsyslog

2. Configure the service

Create a log save directory

[root@Centos] # mkdir-p / var/log/

Server environment view

[root@Centos ~] # cat / etc/redhat-release

CentOS release 6.5 (Final)

[root@Centos ~] # uname-r

2.6.32-431.el6.x86_64

The server environment is centos 6.5, so the syslog log configuration file is / etc/rsyslog.conf

[root@Centos ~] # echo "local2.debug / var/log/sudo.log" > > / etc/rsyslog.conf

View configuration

[root@Centos] # tail-1 / etc/rsyslog.conf

Local2.debug / var/log/sudo.log

If the server is centos 5.x, so the syslog log configuration file is / etc/syslog.conf

[root@Centos ~] # echo "local2.debug / var/log/sudo.log" > > / etc/syslog.conf

[root@Centos ~] # echo "Defaults logfile=/var/log/sudo.log" > > / etc/sudoers

View configuration

[root@Centos] # tail-1 / etc/syslog.conf

Local2.debug / var/log/sudo.log

3. Configuration / etc/sudoers

[root@Centos ~] # echo "Defaults logfile=/var/log/sudo.log" > > / etc/sudoers

[root@Centos] # tail-1 / etc/sudoers

Defaults logfile=/var/log/sudo.log

4. Restart the service

[root@Centos ~] # / etc/init.d/rsyslog restart

Shutting down system logger: [OK]

Starting system logger: [OK]

Third, test the audit results of the diary

[root@Centos ~] # su-cjkaifa001

[cjkaifa001@Centos ~] $pwd

/ home/cjkaifa001

[cjkaifa001@Centos ~] $touch 123.txt

[cjkaifa001@Centos ~] $sudo ls

123.txt

[cjkaifa001@Centos ~] $cat / var/log/sudo.log

Cat: / var/log/sudo.log: Permission denied

Insufficient permissions to directly use the cat command prompt

[cjkaifa001@Centos ~] $sudo cat / var/log/sudo.log can be viewed after the rights are raised using sudo.

Sep 11 02:41:50: cjkaifa001: TTY=pts/1; PWD=/home/cjkaifa001; USER=root

COMMAND=/bin/ls

Sep 11 02:44:57: cjkaifa001: TTY=pts/1; PWD=/home/cjkaifa001; USER=root

COMMAND=/bin/cat / var/log/sudo.log

After testing, the log records of users using sudo can be recorded normally, but other commands are not recorded.

[root@Centos ~] # rm-rf / var/log/sudo.log

[root@Centos ~] # / etc/init.d/rsyslog stop

Shutting down system logger: [OK]

[root@Centos ~] # su-cjkaifa001

[cjkaifa001@Centos ~] $cd /

[cjkaifa001@Centos /] $pwd

/

[cjkaifa001@Centos /] $ls / root

Ls: cannot open directory / root: Permission denied

[cjkaifa001@Centos /] $sudo ls / root

[sudo] password for cjkaifa001:

Anaconda-ks.cfg dead.letter Downloads install.log.syslog Public Videos

Backup Desktop etc.tar.gz.2016 Music tar.gz.20160820

Data Documents install.log Pictures Templates

[cjkaifa001@Centos /] $cat / var/log/sudo.log

Cat: / var/log/sudo.log: Permission denied

[cjkaifa001@Centos /] $sudo cat / var/log/sudo.log

[sudo] password for cjkaifa001:

Sep 11 03:24:39: cjkaifa001: TTY=pts/1; PWD=/; USER=root; COMMAND=/bin/ls

/ root

Sep 11 03:30:57: cjkaifa001: TTY=pts/1; PWD=/; USER=root; COMMAND=/bin/cat

/ var/log/sudo.log

After testing, the rsyslog service is stopped directly, and only / etc/sudoers can be configured to record the log record of user sudo rights raising operation.

After reading this, the article "how to configure the sudo log audit of Linux system" has been introduced. If you want to master the knowledge points of this article, you still need to practice and use it yourself. If you want to know more about related articles, welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.