linux日志服务器审计客户端history记录
<p>一、需求:</p><div class="cnblogs_code">
<pre>将服务器上的每个用户执行的命令、执行时间、登录时间、主机ip、当前切换用户等信息保存到本地并实时传输至日志服务器进行异地保存。</pre>
</div>
<p>rsyslog-server: 192.168.1.240</p>
<p>rsyslog-client: 192.168.1.25</p>
<p> </p>
<p>二、工具及服务:</p>
<div class="cnblogs_code">
<pre>1、logger
logger 是一个shell接口,可以通过该接口使用rsyslog的日志模块。
usage: logger [-is] [-f file] [-p pri] [-t tag] [-u socket] [ message ... ]
-i 逐行记录每一次logger的进程id
-f file记录特定的文件
-p 输入消息的特定优先级,默认是'user.notice'
-t tag为每行信息打上特定的标签
-u 以特定的socker代替内嵌系统常规工作
2、rsyslog日志服务器
rsyslog是syslog的加强版,可以用作客户端及服务器,我们可以使用local0~local7来自定义设备传输至rsyslog
3、PROMPT_COMMAND
Linux系统的环境变量PROMPTCOMMAND的内容会在bash提示符显示之前被执行。
该环境变量的默认值是 history -a 功能是将目前新增的history追加到histfiles 中,默认写入隐藏文件~/.bash_history中</pre>
</div>
<p> </p>
<p>三、实现:</p>
<p>1、配置rsyslog日志服务器:</p>
<div class="cnblogs_code">
<pre># vim /etc/<span style="color: rgba(0, 0, 0, 1)">rsyslog.conf
# 添加以下几行
# 启动udp端口也可以是tcp端口
$ModLoad imudp
$UDPServerRun </span><span style="color: rgba(128, 0, 128, 1)">514</span><span style="color: rgba(0, 0, 0, 1)">
# 设置白名单
$AllowedSender UDP, </span><span style="color: rgba(128, 0, 128, 1)">192.168</span>.<span style="color: rgba(128, 0, 128, 1)">1.0</span>/<span style="color: rgba(128, 0, 128, 1)">24</span>, <span style="color: rgba(128, 0, 128, 1)">10.0</span>.<span style="color: rgba(128, 0, 128, 1)">0.0</span>/<span style="color: rgba(128, 0, 128, 1)">8</span><span style="color: rgba(0, 0, 0, 1)">
# 配置模板,以客户端ip为目录,以日期命名文件
$template Remote,</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/var/log/syslog/%fromhost-ip%/%$YEAR%-%$MONTH%-%$DAY%.log</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">
# 把非本地传输的日志按照指定的模板存放
:fromhost</span>-ip, !isequal, <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">127.0.0.1</span><span style="color: rgba(128, 0, 0, 1)">"</span> ?<span style="color: rgba(0, 0, 0, 1)">IpTemplate
# </span>& 表示已经匹配处理的内容,~<span style="color: rgba(0, 0, 0, 1)"> 表示不再进行其他处理
</span>& ~<span style="color: rgba(0, 0, 0, 1)">
# 重启服务
# service rsyslog restart</span></pre>
</div>
<p> </p>
<p>2、配置rsyslog客户端:</p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 0, 1)"># 配置PROMP_COMMAND
# vim </span>/etc/<span style="color: rgba(0, 0, 0, 1)">bashrc
readonly PROMPT_COMMAND</span>=<span style="color: rgba(128, 0, 0, 1)">'</span><span style="color: rgba(128, 0, 0, 1)">logger -p local3.notice -t bash "$(who am i |awk "{print \$5,\$2}" | tr -d "[()]") [`pwd`] user=$(whoami) cmmd=$(history 1 | { read x cmd; echo "$cmd"; })"</span><span style="color: rgba(128, 0, 0, 1)">'</span><span style="color: rgba(0, 0, 0, 1)">
source </span>/etc/bashrc</pre>
</div>
<p>其中:</p>
<div class="cnblogs_code">
<pre>local3.notice 使我们自定义的设备,用于rsyslog调用;
bash 是我们为每行打印的信息打印的tag;
who am i |awk “{print $1\” \”$2\” \”$3\” \”$4\” \”$5}”用于获取我们当前用户的登录信息;
pwd 用于列出我们当前所在的目录;
whoami 用于获取我们当前切换的执行命令的用户,例如我们从test 用户 sudo -i,执行命令的用户为root,但是登录的用户test,方便我们区分;
command 是我们当前用户执行的命令。</pre>
</div>
<p>注意:</p>
<div class="cnblogs_code">
<pre>1.我们需要在/etc/bashrc或/etc/profile中添加环境变量,用于所有用户。
2.export PROMPT_COMMAND 如果将PROMPT_COMMAND导出到用户工作区,那么对于有经验的用户就可以做赋值操作 export PROMPT_COMMAND ="",
简单的语法就会导致记录功能当前session端不可用,所以PROMPT_COMMAND必须设置成只读的属性,readonly PROMPT_COMMAND</pre>
</div>
<p> </p>
<p>3、配置rsyslog客户端:</p>
<div class="cnblogs_code">
<pre># vim /etc/<span style="color: rgba(0, 0, 0, 1)">rsyslog.conf
# 添加如下行
# 添加local3.none
</span>*.<span style="color: rgba(0, 0, 255, 1)">info</span>;mail.none;authpriv.none;cron.none;<span style="color: rgba(255, 0, 0, 1)">local3.none</span> /var/log/<span style="color: rgba(0, 0, 0, 1)">messages
# 保存到本地的文件
local3.notice </span>/var/log/<span style="color: rgba(0, 0, 0, 1)">audit.log
# 远程日志服务器
local3.notice @</span><span style="color: rgba(128, 0, 128, 1)">192.168</span>.<span style="color: rgba(128, 0, 128, 1)">1.240</span><span style="color: rgba(0, 0, 0, 1)">
# 重启rsyslog
# service rsyslog restart</span></pre>
</div>
<p>其中:</p>
<div class="cnblogs_code">
<pre>1.local3.notice 是在logger中定义的设备,rsyslog调用并将打印信息输出至指定文件。
2.添加local3.none是避免日志写入 /var/log/messages</pre>
</div>
<p> </p>
<p>4、配置轮转日志(client端):</p>
<div class="cnblogs_code">
<pre>/var/log/<span style="color: rgba(0, 0, 0, 1)">audit.log{
daily
rotate </span><span style="color: rgba(128, 0, 128, 1)">4</span><span style="color: rgba(0, 0, 0, 1)">
missingok
notifempty
nocompress
create
dateext
sharedscripts
postrotate
</span>/bin/<span style="color: rgba(0, 0, 255, 1)">kill</span> -HUP `<span style="color: rgba(0, 0, 255, 1)">cat</span> /var/run/syslogd.pid <span style="color: rgba(128, 0, 128, 1)">2</span>> /dev/<span style="color: rgba(0, 0, 255, 1)">null</span>` <span style="color: rgba(128, 0, 128, 1)">2</span>> /dev/<span style="color: rgba(0, 0, 255, 1)">null</span> || <span style="color: rgba(0, 0, 255, 1)">true</span><span style="color: rgba(0, 0, 0, 1)">
endscript
}<br><code class="bash comments"><br><br># 强制轮转</code></span></pre>
<div class="line number2 index1 alt1"><code class="bash plain"> logrotate -vf </code><code class="bash plain">/etc/logrotate</code><code class="bash plain">.d</code><code class="bash plain">/rsyslog</code></div>
<div class="line number2 index1 alt1"> </div>
<div class="line number2 index1 alt1"><code class="bash functions"> ls</code> <code class="bash plain">/var/log</code><code class="bash plain">|</code><code class="bash functions">grep</code> <code class="bash plain">audit</code>
<div class="line number2 index1 alt1"><code class="bash plain"> audit.log audit.log-20190430</code></div>
</div>
</div>
<p> </p>
<p>三、验证测试:</p>
<p>1、rsyslog服务端:</p>
<div class="cnblogs_code">
<pre># <span style="color: rgba(0, 0, 255, 1)">tail</span> -f /var/log/syslog/<span style="color: rgba(128, 0, 128, 1)">192.168</span>.<span style="color: rgba(128, 0, 128, 1)">1.25</span>/<span style="color: rgba(128, 0, 128, 1)">192.168</span>.<span style="color: rgba(128, 0, 128, 1)">1</span>.25_2019-<span style="color: rgba(128, 0, 128, 1)">05</span>-<span style="color: rgba(128, 0, 128, 1)">02</span><span style="color: rgba(0, 0, 0, 1)">.log
May</span><span style="color: rgba(128, 0, 128, 1)">2</span> <span style="color: rgba(128, 0, 128, 1)">08</span>:<span style="color: rgba(128, 0, 128, 1)">10</span>:<span style="color: rgba(128, 0, 128, 1)">37</span> localhost bash: <span style="color: rgba(128, 0, 128, 1)">192.168</span>.<span style="color: rgba(128, 0, 128, 1)">1.65</span> pts/<span style="color: rgba(128, 0, 128, 1)">2</span> user=root cmmd=<span style="color: rgba(0, 0, 0, 1)">service sshd restart
May</span><span style="color: rgba(128, 0, 128, 1)">2</span> <span style="color: rgba(128, 0, 128, 1)">08</span>:<span style="color: rgba(128, 0, 128, 1)">12</span>:<span style="color: rgba(128, 0, 128, 1)">22</span> localhost bash: <span style="color: rgba(128, 0, 128, 1)">192.168</span>.<span style="color: rgba(128, 0, 128, 1)">1.65</span> pts/<span style="color: rgba(128, 0, 128, 1)">2</span> user=root cmmd=vim /etc/<span style="color: rgba(0, 0, 0, 1)">rsyslog.conf
May</span><span style="color: rgba(128, 0, 128, 1)">2</span> <span style="color: rgba(128, 0, 128, 1)">08</span>:<span style="color: rgba(128, 0, 128, 1)">12</span>:<span style="color: rgba(128, 0, 128, 1)">31</span> localhost bash: <span style="color: rgba(128, 0, 128, 1)">192.168</span>.<span style="color: rgba(128, 0, 128, 1)">1.65</span> pts/<span style="color: rgba(128, 0, 128, 1)">2</span> user=root cmmd=<span style="color: rgba(0, 0, 0, 1)">service rsyslogd restart
May</span><span style="color: rgba(128, 0, 128, 1)">2</span> <span style="color: rgba(128, 0, 128, 1)">08</span>:<span style="color: rgba(128, 0, 128, 1)">12</span>:<span style="color: rgba(128, 0, 128, 1)">35</span> localhost kernel: imklog <span style="color: rgba(128, 0, 128, 1)">5.8</span>.<span style="color: rgba(128, 0, 128, 1)">10</span>, log source = /proc/<span style="color: rgba(0, 0, 0, 1)">kmsg started.
May</span><span style="color: rgba(128, 0, 128, 1)">2</span> <span style="color: rgba(128, 0, 128, 1)">08</span>:<span style="color: rgba(128, 0, 128, 1)">12</span>:<span style="color: rgba(128, 0, 128, 1)">35</span> localhost rsyslogd: start
May</span><span style="color: rgba(128, 0, 128, 1)">2</span> <span style="color: rgba(128, 0, 128, 1)">08</span>:<span style="color: rgba(128, 0, 128, 1)">12</span>:<span style="color: rgba(128, 0, 128, 1)">35</span> localhost bash: <span style="color: rgba(128, 0, 128, 1)">192.168</span>.<span style="color: rgba(128, 0, 128, 1)">1.65</span> pts/<span style="color: rgba(128, 0, 128, 1)">2</span> user=root cmmd=<span style="color: rgba(0, 0, 0, 1)">service rsyslog restart
</span></pre>
</div>
<p> </p>
<p>2、rsyslog客户端:</p>
<div class="cnblogs_code">
<pre># <span style="color: rgba(0, 0, 255, 1)">tail</span> -f /var/log/<span style="color: rgba(0, 0, 0, 1)">audit.log
May</span><span style="color: rgba(128, 0, 128, 1)">2</span> <span style="color: rgba(128, 0, 128, 1)">08</span>:<span style="color: rgba(128, 0, 128, 1)">10</span>:<span style="color: rgba(128, 0, 128, 1)">37</span> localhost bash: <span style="color: rgba(128, 0, 128, 1)">192.168</span>.<span style="color: rgba(128, 0, 128, 1)">1.65</span> pts/<span style="color: rgba(128, 0, 128, 1)">2</span> user=root cmmd=<span style="color: rgba(0, 0, 0, 1)">service sshd restart
May</span><span style="color: rgba(128, 0, 128, 1)">2</span> <span style="color: rgba(128, 0, 128, 1)">08</span>:<span style="color: rgba(128, 0, 128, 1)">12</span>:<span style="color: rgba(128, 0, 128, 1)">22</span> localhost bash: <span style="color: rgba(128, 0, 128, 1)">192.168</span>.<span style="color: rgba(128, 0, 128, 1)">1.65</span> pts/<span style="color: rgba(128, 0, 128, 1)">2</span> user=root cmmd=vim /etc/<span style="color: rgba(0, 0, 0, 1)">rsyslog.conf
May</span><span style="color: rgba(128, 0, 128, 1)">2</span> <span style="color: rgba(128, 0, 128, 1)">08</span>:<span style="color: rgba(128, 0, 128, 1)">12</span>:<span style="color: rgba(128, 0, 128, 1)">31</span> localhost bash: <span style="color: rgba(128, 0, 128, 1)">192.168</span>.<span style="color: rgba(128, 0, 128, 1)">1.65</span> pts/<span style="color: rgba(128, 0, 128, 1)">2</span> user=root cmmd=<span style="color: rgba(0, 0, 0, 1)">service rsyslogd restart
May</span><span style="color: rgba(128, 0, 128, 1)">2</span> <span style="color: rgba(128, 0, 128, 1)">08</span>:<span style="color: rgba(128, 0, 128, 1)">12</span>:<span style="color: rgba(128, 0, 128, 1)">35</span> localhost bash: <span style="color: rgba(128, 0, 128, 1)">192.168</span>.<span style="color: rgba(128, 0, 128, 1)">1.65</span> pts/<span style="color: rgba(128, 0, 128, 1)">2</span> user=root cmmd=service rsyslog restart</pre>
</div>
</div>
<div id="MySignature" role="contentinfo">
*** 你必须十分努力,才能看起来毫不费力 ***<br><br>
来源:https://www.cnblogs.com/bigtree2pingping/p/10813813.html
頁:
[1]