sudo权限集中管理+日志审计实战-优快云博客

本文介绍如何通过Sudo进行用户权限的精细化管理，并实现日志审计，确保系统的安全性与合规性。涵盖权限分配策略、日志配置及集中管理方案。

1）sudo用户权限集中管理

1.分析业务需求

根据业务不同，区分不通权限

初级运维	tom
高级运维	lucy
运维经理	stven
初级开发	john
开发经理	jie
网络工程师	san

2.权限分类（示例）

初级运维	/bin/cat,/bin/ls,/usr/bin/top
高级运维	/bin/cat,/bin/cat,/bin/ls,/bin/vi,/bin/cp,/bin/rm,/bin/su
运维经理	all
初级开发	/bin/cat,/bin/ls
开发经理	All,/usr/bin/passwd,!/usr/bin/passwd root,!/bin/vi /etc/sudoers,!/usr/bin/vim /etc/sudoers
网络工程师	/sbin/ifconfig

3.用户别名

# User_Alias ADMINS = jsmith, mikem

CHUJI_YUNWEI	tom
GAOJI_YUNWEI	lucy
SAMANAGER	stven
CHUJI_KAIFA	john
SOFTMANAGER	jie
NETWORK	san

User_Alias CHUJI_YUNWEI = tom

User_Alias GAOJI_YUNWEI = lucy

User_Alias SAMANAGER = stven

User_Alias CHUJI_KAIFA = john

User_Alias SOFTMANAGER = jie

User_Alias NETWORK = san

4.命令别名

注意一行命令没写完，要用“\”转接到下一行接续

Cmnd_Alias CHUJI_YUNWEI_CMD = /bin/cat,/bin/ls,/usr/bin/top

Cmnd_Alias GAOJI_YUNWEI_CMD= /bin/cat,/bin/cat,/bin/ls,/bin/vi,/bin/cp,/bin/rm,/bin/su

Cmnd_Alias SAMANAGER_CMD = all

Cmnd_Alias CHUJI_KAIFA_CMD = /bin/cat,/bin/ls

Cmnd_Alias SOFTMANAGER_CMD = All,/usr/bin/passwd,\

!/usr/bin/passwd root,!/bin/vi /etc/sudoers,!/usr/bin/vim /etc/sudoers

Cmnd_Alias NETWORK_CMD = /sbin/ifconfig

5.主机别名

Host_Alias SERVER = student

6.编辑/etc/sudoers授权

[root@student ~]# visudo

CHUJI_YUNWEI ALL=（ALL） CHUJI_YUNWEI_CMD

GAOJI_YUNWEI ALL=（ALL） GAOJI_YUNWEI_CMD

SAMANAGER ALL=（ALL） SAMANAGER_CMD

CHUJI_KAIFA ALL=（SERVER） CHUJI_KAIFA_CMD

SOFTMANAGER ALL=（SERVER） SOFTMANAGER_CMD

NETWORK ALL=（ALL） NETWORK_CMD

实战操作：

1）将以下内容追加到/etc/sudoer文件中

[root@student ~] # visudo

User_Alias CHUJI_YUNWEI = tom

User_Alias GAOJI_YUNWEI = lucy

User_Alias SAMANAGER = stven

User_Alias CHUJI_KAIFA = john

User_Alias SOFTMANAGER = jie

User_Alias NETWORK = san

Cmnd_Alias CHUJI_YUNWEI_CMD = /bin/cat , /bin/ls , /usr/bin/top

Cmnd_Alias GAOJI_YUNWEI_CMD= /bin/cat , /bin/cat , /bin/ls , /bin/vi , /bin/cp , /bin/rm , /bin/su

Cmnd_Alias CHUJI_KAIFA_CMD = /bin/cat , /bin/ls

Cmnd_Alias SAMANAGER_CMD = ALL

Cmnd_Alias SOFTMANAGER_CMD = ALL,! /usr/bin/passwd ,\

! /usr/bin/passwd root,! /bin/vi /etc/sudoers ,! /usr/bin/vim /etc/sudoers

Cmnd_Alias NETWORK_CMD = /sbin/ifconfig

CHUJI_YUNWEI ALL = (ALL) CHUJI_YUNWEI_CMD

GAOJI_YUNWEI ALL = (ALL) GAOJI_YUNWEI_CMD

SAMANAGER ALL = (ALL) SAMANAGER_CMD

CHUJI_KAIFA SERVER = (ALL) CHUJI_KAIFA_CMD

SOFTMANAGER ALL = (ALL) SOFTMANAGER_CMD

NETWORK ALL = (ALL) NETWORK_CMD

"/etc/sudoers.tmp" 145L, 4842C written

[root@student ~] #

sudo -l 可以查看当前用户下的sudu命令权限

[root@student ~] # su - tom

[tom@student ~]$ sudo -l

[ sudo ] password for tom:

匹配此主机上 tom 的默认条目：

requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME

HISTSIZE INPUTRC KDEDIR LS_COLORS ", env_keep+=" MAIL PS1 PS2 QTDIR USERNAME LANG

LC_ADDRESS LC_CTYPE ", env_keep+=" LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT

LC_MESSAGES ", env_keep+=" LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",

env_keep+= "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" ,

secure_path= /sbin \: /bin \: /usr/sbin \: /usr/bin

用户 tom 可以在该主机上运行以下命令：

(ALL) /bin/cat , /bin/ls , /usr/bin/top

[tom@student ~]$ sudo cp /etc/services /tmp

对不起，用户 tom 无权以 root 的身份在 student 上执行 /bin/cp /etc/services /tmp 。

[tom@student ~]$ sudo cp /etc/services /tmp

对不起，用户 tom 无权以 root 的身份在 student 上执行 /bin/cp /etc/services /tmp 。

[tom@student ~]$

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

2）Sudo日志审计

安装sudo和rsyslog服务

[root@student ~] # rpm -aq | egrep "sudo|rsyslog"

rsyslog-5.8.10-8.el6.x86_64

sudo -1.8.6p3-12.el6.x86_64

[root@student ~] #

没有的话可以yum install rsyslog -y

创建sudo日志文件

[root@student ~] # cat /etc/redhat-release

CentOS release 6.5 (Final)

[root@student ~] #echo “local2.debug /var/log/sudo.log” >>/etc/rsyslog.conf

[root@student ~] # tail -1 /etc/rsyslog.conf

local2.debug /var/log/sudo .log

[root@student ~] #echo “local2.debug /var/log/sudo.log” >>/etc/rsyslog.conf

重启rsyslog服务

[root@student ~] # /etc/init.d/rsyslog restart

关闭系统日志记录器： [确定]

启动系统日志记录器： [确定]

[root@student ~] #

测试：

[root@student ~] # su - lucy

[lucy@student ~]$ sudo -l

[ sudo ] password for lucy:

匹配此主机上 lucy 的默认条目：

requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME

HISTSIZE INPUTRC KDEDIR LS_COLORS ", env_keep+=" MAIL PS1 PS2 QTDIR USERNAME LANG

LC_ADDRESS LC_CTYPE ", env_keep+=" LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT

LC_MESSAGES ", env_keep+=" LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",

env_keep+= "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" ,

secure_path= /sbin \: /bin \: /usr/sbin \: /usr/bin

用户 lucy 可以在该主机上运行以下命令：

(ALL) /bin/cat , /bin/cat , /bin/ls , /bin/vi , /bin/cp , /bin/rm , /bin/su

[lucy@student ~]$ mv /tmp/services /

mv : 无法将 "/tmp/services" 移动至 "/services" : 不允许的操作

[lucy@student ~]$ sudo mv /tmp/services /

对不起，用户 lucy 无权以 root 的身份在 student 上执行 /bin/mv /tmp/services /。

[lucy@student ~]$

[lucy@student ~]$ cat /var/log/sudo .log

cat : /var/log/sudo .log: 权限不够

[lucy@student ~]$ sudo cat /var/log/sudo .log

Nov 19 04:35:53 : lucy : 命令禁止使用 ; TTY=pts /1 ; PWD= /home/lucy ;

USER=root ; COMMAND= /usr/sbin/visudo

Nov 19 04:36:22 : lucy : 命令禁止使用 ; TTY=pts /1 ; PWD= /home/lucy ;

USER=root ; COMMAND= /bin/touch /a .txt

Nov 19 04:37:26 : tom : 命令禁止使用 ; TTY=pts /1 ; PWD= /home/tom ;

USER=root ; COMMAND= /sbin/ifconfig

Nov 19 04:37:40 : tom : TTY=pts /1 ; PWD= /home/tom ; USER=root ; COMMAND=list

[lucy@student ~]$

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

3)日志集中管理

1）rsync+inotify或定时任务+rsync,推到日志管理服务器上，10.0.0.7_20120309.sudo.log

2)syslog服务来处理

添加hosts解析

1	`[root@MySQL-A~]` `#echo "10.10.10.1 logserver">>/etc/hosts`

#日志服务器地址

1	`[root@MySQL-A~]` `#echo "*.info @logserver">>/etc/syslog.conf<<====适合所有日志推走`

3）日志收集解决方案scribe、Flume、logstash、stom

本文出自 “秦仙儿” 博客，请务必保留此出处http://youdong.blog.51cto.com/3562886/1719639

转载于:https://blog.51cto.com/dengxujie/1892957