配置sudo日志审计

Posted 2020-11-21

1、安装sudo与syslog服务

[[email protected] ~]# rpm -qa|grep sudo
sudo-1.8.6p3-24.el6.x86_64
[[email protected] ~]# rpm -qa|grep rsyslog
rsyslog-5.8.10-10.el6_6.x86_64

检查是否安装两种服务，如果没有安装，就使用下面的命令进行安装

yum install sudo -y
yum install rsyslog -y

备注：Centos 5.x 为syslog，Centos 6.x 为rsyslog

2、配置服务

创建日志保存目录

[[email protected] ~]# mkdir -p /var/log/

服务器环境查看

[[email protected] ~]# cat /etc/redhat-release 
CentOS release 6.5 (Final)
[[email protected] ~]# uname -r
2.6.32-431.el6.x86_64

服务器环境为centos 6.5 所以syslog日志配置文件为/etc/rsyslog.conf

[[email protected] ~]#echo "local2.debug /var/log/sudo.log">>/etc/rsyslog.conf

查看配置

[[email protected] ~]# tail -1 /etc/rsyslog.conf 
local2.debug  /var/log/sudo.log

如果服务器为centos 5.x 所以syslog日志配置文件为/etc/syslog.conf

[[email protected] ~]#echo "local2.debug /var/log/sudo.log">>/etc/syslog.conf
[[email protected] ~]#echo "Defaults logfile=/var/log/sudo.log">>/etc/sudoers

查看配置

[[email protected] ~]# tail -1 /etc/syslog.conf 
local2.debug  /var/log/sudo.log

配置/etc/sudoers

[[email protected] ~]# echo "Defaults logfile=/var/log/sudo.log">>/etc/sudoers
[[email protected] ~]# tail -1 /etc/sudoers 
Defaults logfile=/var/log/sudo.log
[[email protected] ~]# visudo -c

4、重启服务

[[email protected] ~]# /etc/init.d/rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]

三：测试日记审计结果

[[email protected] sudoers.d]# sudo ls
cloud-init
[[email protected] sudoers.d]# cat /var/log/sudo.log
Jul  3 06:22:53 : root : TTY=pts/1 ; PWD=/etc/sudoers.d ; USER=root ;
    COMMAND=/bin/ls