全网日志集中审计解决方案

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了全网日志集中审计解决方案相关的知识,希望对你有一定的参考价值。

title: 全网日志集中审计解决方案
tags: 日志审计,sudo,rsyslog
grammar_cjkRuby: true

全网日志集中审计解决方案

1. 日志审计概述,为什么需要日志审计

日志审计是记录所有系统及相关用户行为的信息,并且可以自动分析、处理、展示。当利用sudo对公司全网改进杜绝超级权限root泛滥后,从根本上降低了内部操作失误及安全隐患的发生。但是权限控制后,需要实施对所有用户日志记录方案,这样让所有运维人员和开发人员所有执行的命令都有记录可查,这样才可以从根本上杜绝内部人员的安全隐患,因为很多重大安全事故其实都是从内部发生的。因为如果记录普通用户的操作记录,数据量巨大,日后查询也不方便,再者,普通用户操作记录不会危害系统安全,都是一些常规的查看命令,或改写属于自己的文件,因此没有很大必要去审计,只需要重点审计通过sudo提权的日志就好了。sudo日志审计是通过sudo和syslog配合实现对所有用户进行日志审计并将记录集中管理。

2. sudo配合rsyslog服务日志审计步骤

  1. 安装sudo命令,rsyslog服务(Centos 6.4以上为rsyslog服务)
    [[email protected] ~]# rpm -qa sudo
    sudo-1.8.6p3-29.el6_9.x86_64
    [[email protected] ~]# rpm -qa rsyslog
    rsyslog-5.8.10-10.el6_6.x86_64
    1. 配置/etc/sudoers文件,增加配置“ Defaults logfile=/var/log/sudolog" 到/etc/sudoers中。如:
      [[email protected] ~]# echo "Defaults    logfile=/var/log/sudolog" >>/etc/sudoers        [[email protected] ~]# tail -1 /etc/sudoers
      Defaults    logfile=/var/log/sudolog
      [[email protected] ~]# visudo -c       
      visudo: Warning: User_Alias `GY01‘ referenced but not defined
      /etc/sudoers: parsed OK
    2. 配置系统日志/etc/syslog.conf
      增加配置local2.debug到/etc/syslog.conf中
      [[email protected] ~]# echo "local2.debug   /var/log/sudolog" >>/etc/rsyslog.conf
      [r[email protected] ~]# /etc/init.d/rsyslog restart
      [[email protected] ~]# ls -l /var/log/sudo.log    
      -rw-------. 1 root root 0 Jun 30 23:15 /var/log/sudo.log
    3. 验证是否配置成功
      [[email protected] ~]# su - test
      [[email protected] ~]$ sudo passwd aaa
      Changing password for user aaa.
      New password: 
      BAD PASSWORD: it does not contain enough DIFFERENT characters
      BAD PASSWORD: is a palindrome
      Retype new password: 
      passwd: all authentication tokens updated successfully.
      [[email protected] ~]$ exit
      [[email protected] ~]# ls -l /var/log/sudo.log 
      -rw-------. 1 root root 98 Jun 30 23:30 /var/log/sudo.log
      [[email protected] ~]# cat /var/log/sudo.log 
      Jun 30 23:30:49 : test : TTY=pts/0 ; PWD=/home/test ; USER=root ;
      COMMAND=/usr/bin/passwd aaa
      [[email protected] ~]# 

      3.实现全网的日志集中审计

      3.1. rsync配合定时任务,将sudo.log推送到日志管理服务器上。

      下面我们通过定时任务+rsync推送,我们目前审计的是maiyat主机,ip为192.168.50.2,我们的集中备份主机位backup主机,ip为192.168.50.4。
      3.1.1 在backup和maiyat主机都安装rsync,如
      maiyat主机

      [[email protected] script]# uname -m
      x86_64
      [[email protected] script]# rpm -qa rsync
      rsync-3.0.6-12.el6.x86_64
      [[email protected] script]# 

      backup主机

      [[email protected] 192.168.50.2_2018-07-01]# uname -r
      2.6.32-696.23.1.el6.x86_64
      [[email protected] 192.168.50.2_2018-07-01]# uname -m
      x86_64
      [[email protected] 192.168.50.2_2018-07-01]# rpm -qa rsync
      rsync-3.0.6-12.el6.x86_64
      [[email protected] 192.168.50.2_2018-07-01]# 

      3.1.2 在rsync服务端创建rsyncd.conf的配置文件,如

      [[email protected] 192.168.50.2_2018-07-01]# cat /etc/rsyncd.conf 
      # rsyncd-conf start 
      uid = rsync
      gid = rsync
      use chroot = no
      max connections = 2000
      timeout = 600
      pid file= /var/run/rsyncd.pid
      lock file = /var/run/rsync.lock
      log file = /var/log/rsyncd.log
      ignore = errors
      read only = false
      list = false
      hosts allow = 192.168.50.0/24
      hosts deny = 0.0.0.0/32
      auth users = rsync-backup
      secrets file = /etc/rsync.password
      #####################################
      [backup]
      comment = backup
      path = /backup

      3.1.3 在rsync服务端创建与rsyncd.conf匹配的密码文件,以及rsync用户

      [[email protected] ~]# useradd rsync -M -s  /sbin/nologin
      [[email protected] ~]# id rsync
      uid=547(rsync) gid=547(rsync) groups=547(rsync)
      [[email protected] ~]# echo "rsync-backup:root" >/etc/rsync.password
      [[email protected] ~]# ls -l /etc/rsync.password 
      -rwxr-xr-x. 1 root root 18 May 21 06:23 /etc/rsync.password

      3.1.4 创建rsync服务端的备份目录,注意要和rsyncd.conf一致,并将备份目录权限给rsync用户,如果这步不赋予权限可能会出现认证错误。

      [[email protected] ~]# mkdir -p /backup
      [[email protected] ~]# chown -R rsync:rsync /backup
      [[email protected] ~]# ls -ld /backup/
      drwxr-xr-x. 2 rsync rsync 4096 Jun 19 01:10 /backup/

      3.1.5 在客户端配置与服务端rsyncd.conf相匹配的密码文件,权限给600,并测试一下推送到服务端是否正常,如:

[[email protected] ~]# echo "root" > /etc/rsync.password
[[email protected] ~]# chmod 600 /etc/rsync.password
[[email protected] ~]# ls -l /etc/rsync.password 
-rw-------. 1 root root 5 Jul  1 00:06 /etc/rsync.password
[[email protected] ~]# rsync -avz /var/log/sudo.log [email protected]::backup/ --password-file=/etc/rsync.password 
sending incremental file list
sudo.log

sent 159 bytes  received 27 bytes  372.00 bytes/sec
total size is 98  speedup is 0.53

3.1.6 在客户端推送正常后我们部署一个脚本和定时任务,定时完成推送sudo.log任务。如

[[email protected] script]# vim sudo-bak.sh 
#!/bin/bash
dir=`ifconfig eth0 |awk -F ‘[ :]+‘ ‘NR==2 {print $4}‘`
path=/backup
mkdir $path/$dir -p &&/bin/cp /var/log/sudo.log $path/$dir/sudo_log_$(date +%F) &&rsync -az $path [email protected]::backup/ --password-file=/etc/rsync.password
[[email protected] script]# sh /service/script/sudo-bak.sh

在rsync服务端查看

[[email protected] backup]# cd backup/
[[email protected] backup]# ls
192.168.50.2
[[email protected] backup]# cd 192.168.50.2/
[[email protected] 192.168.50.2]# ls -l
total 4
-rw-------. 1 rsync rsync 98 Jul  1  2018 sudo_log_2018-07-01
[[email protected] 192.168.50.2]#

在rsync客户端部署定时任务,我们一般凌晨3点进行推送,如:

[[email protected] backup]# echo "0 3 * * *  sh /service/script/sudo-bak.sh" >>/var/spool/cron/root
[[email protected] backup]# crontab -l |grep "sudo"
0 3 * * *  sh /service/script/sudo-bak.sh

另外系统设置时间格式为:

date [MMDDhhmm[[CC]YY][.ss]
月 日 小时  分钟  年 .秒
[[email protected] backup]# date 070102592018.55
Sun Jul  1 02:59:00 CST 2018
[[email protected] backup]# 

3.2 rsync配合inotify进行实时同步

3.2.1 在rsync客户端部署inotify,先必须查看一下系统内核是否支持inotify,如果存在以下3个文件就说明系统内核支持

[[email protected] ~]# ls -l /proc/sys/fs/inotify/
total 0
-rw-r--r-- 1 root root 0 Jul  1 03:06 max_queued_events
-rw-r--r-- 1 root root 0 Jul  1 03:06 max_user_instances
-rw-r--r-- 1 root root 0 Jul  1 03:06 max_user_watches

3.2.2 下载inotify源码包,并进行安装,如:

[[email protected] ~]# tar -zxf inotify-tools-3.14.tar.gz 
[[email protected] ~]# cd inotify-tools-3.14/
[[email protected] inotify-tools-3.14]# ./configure --prefix=/usr/local/inotify-tools-3.14/
[[email protected] inotify-tools-3.14]# echo $?
0
[[email protected] inotify-tools-3.14]# 
[[email protected] inotify-tools-3.14]# make && make install
[[email protected] local]# ln -s /usr/local/inotify-tools-3.14/ /usr/local/inotify-tools

3.2.3 在rsync客户端部署脚本,让它自动监听/var/log/sudo.log,如果有变化自动推送。

[[email protected] script]# vim inotify.sh
#!/bin/bash
inotify=/usr/local/inotify-tools/bin/inotifywait
$inotify -mrq --format ‘%w%f‘ -e create,close_write,delete /var/log/sudo.log | while read file
do
cd / &&
rsync -az --delete /var/log/sudo.log [email protected]::backup/192.168.50.2/sudo.log --password-file=/etc/rsync.password
done

3.2.4 在rsync客户端部署一个检查脚本,自动检查inotify有没有运行,如果没运行自动启动inotify

[[email protected] script]# vi check-iotify.sh                       
#!/bin/bash
a=`ps -ef |grep inotify |grep -v "grep"|wc -l`
if [ $a -ne 0 ];then
       exit 1;
else
       sh /service/script/inotify.sh &
fi      

3.2.5 在rsync客户端设置定时任务,每30分钟执行检查一次。并将inotify的脚本写入rc.local里,这样inotify开机就会启动,如果不小心被人kill掉,我们还是定时的核查脚本,当发现inotify被杀了以后,又会自动起来,如:

[[email protected] script]# echo "*/30 * * * *  sh /service/script/check-inotify.sh" >> /var/spool/cron/root
[[email protected] script]# crontab -l |grep "check"
*/1 * * * *  sh /service/script/check-inotify.sh
[[email protected] script]# 
[[email protected] script]# echo "sh /service/script/inotify.sh &" >>/etc/rc.local 
[[email protected] script]# tail -1 /etc/rc.local 
sh /service/script/inotify.sh &
[[email protected] script]# 

3.3 通过rsyslog服务来完成同步

因为是将本机的/var/log/sudolog 推送到远端的备份服务器,所以本机就是客户端,远端的服务器就属于rsyslog的服务端,这种方法不太推荐,因为推送的东西太多了,适合所有日志的推送,就选择这种,下面来介绍一下用法。
3.3.1 客户端先做域名解析,然后写入/etc/rsyslog.conf 配置文件中,然后重启rsyslog服务,如:

[[email protected] ~]# echo "192.168.50.4  logserver" >>/etc/hosts
[[email protected] ~]# tail -1 /etc/hosts
192.168.50.4  logserver
[[email protected] ~]# echo "*.info  @logserver" >> /etc/rsyslog.conf
[[email protected] ~]# tail -1 /etc/rsyslog.conf 
*.info  @logserver
[[email protected] ~]# /etc/init.d/rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:              

3.3.2 服务端修改/etc/rsyslog.conf配置文件,启用udp和tcp模块 $ModLoad imudp $UDPServerRun 514 $ModLoad imtcp,如:

[[email protected] ~]# egrep -v "#|^$" /etc/rsyslog.conf 
####开启udp接收日志
$ModLoad imudp
$UDPServerRun 514
$template RemoteHost,"/data/syslog/%$YEAR%-%$MONTH%-%$DAY%/%FROMHOST-IP%.log"   
*.*  ?RemoteHost
& ~
###########开启udp接收日志
$ModLoad imtcp
$InputTCPServerRun 514
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#######启用/etc/rsyslog.d/*.conf目录下所有以.conf结尾的配置文件
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                    /var/log/secure
mail.*                                      /var/log/maillog
cron.*                                      /var/log/cron
*.emerg                                      *
uucp,news.crit                                /var/log/spooler
local7.*                                    /var/log/boot.log
#我们添加的客户端配置的sudo.log日志
local2.debug                                 /var/log/sudo.log
[[email protected] ~]# 

3.3.3 重启服务端的rsyslog服务,并测试看看是否成功

[[email protected] ~]# /etc/init.d/rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]

客户端制作sudo日志

[[email protected] ~]# su - test
[[email protected] ~]$ sudo -l
[[email protected] ~]$ sudo useradd bvbv
[[email protected] ~]$ exit
logout
[[email protected] ~]# 

服务端验证结果:

[[email protected] 2018-06-19]# cat 192.168.50.2.log 
2018-07-01T06:23:21+08:00 maiyat sudo:     test : TTY=pts/0 ; PWD=/home/test ; USER=root ; COMMAND=list
2018-07-01T06:23:30+08:00 maiyat sudo:     test : TTY=pts/0 ; PWD=/home/test ; USER=root ; COMMAND=/usr/sbin/useradd bvbv
2018-07-01T06:23:30+08:00 maiyat useradd[3398]: new group: name=bvbv, GID=550
2018-07-01T06:23:30+08:00 maiyat useradd[3398]: new user: name=bvbv, UID=550, GID=550, home=/home/bvbv, shell=/bin/bash
2018-07-01T06:24:01+08:00 maiyat CROND[3409]: (root) CMD (sh /service/script/check-iotify.sh )
[[email protected] 2018-06-19]# 

结果验证没有问题,已经被审计到了,但是利用rsyslog审计方法虽然简单方便,但是它统计的日志是多个日志放在了一个文件里,造成了想看比较麻烦,而利用rsync推送可以把各个日志按主机名日期文件名的方式集体的推送到备份服务器中,这样实现的方式比较灵活。

以上是关于全网日志集中审计解决方案的主要内容,如果未能解决你的问题,请参考以下文章

Ubuntu下rsyslog集中收集mysql审计日志

centos6 配置sudo命令日志审计

工单系统-数据库查询,审计需求

日志审计功能实现

日志审计功能实现

日志审计功能实现