1.检查sudo与syslog服务
- centos
- [root@xiaoyuer ~]# rpm -qa|grep sudo
- sudo-1.8.6p3-24.el6.x86_64
- [root@xiaoyuer ~]# rpm -qa|grep syslog
- rsyslog-5.8.10-10.el6_6.x86_64
-
- ubuntu
- root@host1:~# dpkg -l |egrep 'sudo|syslog'
- ii rsyslog 7.4.4-1ubuntu2.7 amd64 reliable system and kernel logging daemon
- ii sudo 1.8.9p5-1ubuntu1.4 amd64 Provide limited super user privileges to specific users
- root@host1:~#
2.检查是否安装两种服务,如果没有安装,就使用下面的命令进行安装
- yum install sudo -y
- yum install rsyslog -y
- apt-get install sudo rsyslog -y
备注:Centos 5.x 为syslog,Centos 6.x 为rsyslog
3.配置服务
- #创建日志目录
- mkdir -p /var/log/
-
- #查看日志环境
- [root@xiaoyuer ~]# uname -r
- 2.6.32-642.6.2.el6.x86_64
- [root@xiaoyuer ~]# cat /etc/redhat-release
- CentOS release 6.8 (Final)
-
- root@host1:~# cat /etc/issue
- Ubuntu 14.04.5 LTS \n \l
- root@host1:~# uname -r
- 4.4.0-93-generic
-
- #服务器环境为centos 6.8 所以syslog日志配置文件为/etc/rsyslog.conf
-
- echo "local2.debug /var/log/sudo.log">>/etc/rsyslog.conf
-
- tail -1 /etc/rsyslog.conf
- #local2.debug /var/log/sudo.log
-
- #注意:如果服务器为centos 5.x 所以syslog日志配置文件为/etc/syslog.conf(配置)
- #echo "local2.debug /var/log/sudo.log">>/etc/syslog.conf
- #echo "Defaults logfile=/var/log/sudo.log">>/etc/sudoers
-
- #配置/etc/sudoers
- echo "Defaults logfile=/var/log/sudo.log">>/etc/sudoers
- tail -1 /etc/sudoers
- #Defaults logfile=/var/log/sudo.log
- visudo -c
-
- #重启服务
- [root@xiaoyuer ~]# service rsyslog restart
- Shutting down system logger: [ OK ]
- Starting system logger: [ OK ]
4、测试审计结果
- [root@xiaoyuer ~]# sudo ls
- elasticsearch-5.6.3 elasticsearch-5.6.3.zip energy_saving_products.sql master.zip mysql-5.7.22-winx64.zip zabbix3.0.9_yum.tar.gz
-
- [root@xiaoyuer ~]# cat /var/log/sudo.log
- Jul 31 14:59:20 : root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/ls
