1)sudo用戶權限集中管理
1.分析業務需求
根據業務不同,區分不通權限
初級運維 | tom |
高級運維 | lucy |
運維經理 | stven |
初級開發 | john |
開發經理 | jie |
網絡工程師 | san |
2.權限分類(示例)
初級運維 | /bin/cat,/bin/ls,/usr/bin/top |
高級運維 | /bin/cat,/bin/cat,/bin/ls,/bin/vi,/bin/cp,/bin/rm,/bin/su |
運維經理 | all |
初級開發 | /bin/cat,/bin/ls |
開發經理 | All,/usr/bin/passwd,!/usr/bin/passwd root,!/bin/vi /etc/sudoers,!/usr/bin/vim /etc/sudoers |
網絡工程師 | /sbin/ifconfig |
3.用戶別名
# User_Alias ADMINS = jsmith, mikem
CHUJI_YUNWEI | tom |
GAOJI_YUNWEI | lucy |
SAMANAGER | stven |
CHUJI_KAIFA | john |
SOFTMANAGER | jie |
NETWORK | san |
User_Alias CHUJI_YUNWEI = tom
User_Alias GAOJI_YUNWEI = lucy
User_Alias SAMANAGER = stven
User_Alias CHUJI_KAIFA = john
User_Alias SOFTMANAGER = jie
User_Alias NETWORK = san
4.命令別名
注意一行命令沒寫完,要用“\”轉接到下一行接續
Cmnd_Alias CHUJI_YUNWEI_CMD = /bin/cat,/bin/ls,/usr/bin/top
Cmnd_Alias GAOJI_YUNWEI_CMD= /bin/cat,/bin/cat,/bin/ls,/bin/vi,/bin/cp,/bin/rm,/bin/su
Cmnd_Alias SAMANAGER_CMD = all
Cmnd_Alias CHUJI_KAIFA_CMD = /bin/cat,/bin/ls
Cmnd_Alias SOFTMANAGER_CMD = All,/usr/bin/passwd,\
!/usr/bin/passwd root,!/bin/vi /etc/sudoers,!/usr/bin/vim /etc/sudoers
Cmnd_Alias NETWORK_CMD = /sbin/ifconfig
5.主機別名
Host_Alias SERVER = student
6.編輯/etc/sudoers授權
[root@student ~]# visudo
CHUJI_YUNWEI ALL=(ALL) CHUJI_YUNWEI_CMD
GAOJI_YUNWEI ALL=(ALL) GAOJI_YUNWEI_CMD
SAMANAGER ALL=(ALL) SAMANAGER_CMD
CHUJI_KAIFA ALL=(SERVER) CHUJI_KAIFA_CMD
SOFTMANAGER ALL=(SERVER) SOFTMANAGER_CMD
NETWORK ALL=(ALL) NETWORK_CMD
實戰操作:
1)將以下內容追加到/etc/sudoer文件中
[root@student ~]# visudo User_Alias CHUJI_YUNWEI = tom User_Alias GAOJI_YUNWEI = lucy User_Alias SAMANAGER = stven User_Alias CHUJI_KAIFA = john User_Alias SOFTMANAGER = jie User_Alias NETWORK = san Cmnd_Alias CHUJI_YUNWEI_CMD = /bin/cat,/bin/ls,/usr/bin/top Cmnd_Alias GAOJI_YUNWEI_CMD= /bin/cat,/bin/cat,/bin/ls,/bin/vi,/bin/cp,/bin/rm,/bin/su Cmnd_Alias CHUJI_KAIFA_CMD = /bin/cat,/bin/ls Cmnd_Alias SAMANAGER_CMD = ALL Cmnd_Alias SOFTMANAGER_CMD = ALL,!/usr/bin/passwd,\ !/usr/bin/passwd root,!/bin/vi /etc/sudoers,!/usr/bin/vim /etc/sudoers Cmnd_Alias NETWORK_CMD = /sbin/ifconfig CHUJI_YUNWEI ALL = (ALL) CHUJI_YUNWEI_CMD GAOJI_YUNWEI ALL = (ALL) GAOJI_YUNWEI_CMD SAMANAGER ALL = (ALL) SAMANAGER_CMD CHUJI_KAIFA SERVER = (ALL) CHUJI_KAIFA_CMD SOFTMANAGER ALL = (ALL) SOFTMANAGER_CMD NETWORK ALL = (ALL) NETWORK_CMD "/etc/sudoers.tmp" 145L, 4842C written [root@student ~]#
sudo -l 可以查看當前用戶下的sudu命令權限
[root@student ~]# su - tom [tom@student ~]$ sudo -l [sudo] password for tom: 匹配此主機上 tom 的默認條目: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin 用戶 tom 可以在該主機上運行以下命令: (ALL) /bin/cat, /bin/ls, /usr/bin/top [tom@student ~]$ sudo cp /etc/services /tmp 對不起,用戶 tom 無權以 root 的身份在 student 上執行 /bin/cp /etc/services /tmp。 [tom@student ~]$ sudo cp /etc/services /tmp 對不起,用戶 tom 無權以 root 的身份在 student 上執行 /bin/cp /etc/services /tmp。 [tom@student ~]$
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2)Sudo日誌審計
安裝sudo和rsyslog服務
[root@student ~]# rpm -aq | egrep "sudo|rsyslog" rsyslog-5.8.10-8.el6.x86_64 sudo-1.8.6p3-12.el6.x86_64 [root@student ~]#
沒有的話可以yum install rsyslog -y
創建sudo日誌文件
[root@student ~]# cat /etc/redhat-release CentOS release 6.5 (Final) [root@student ~]#echo “local2.debug /var/log/sudo.log” >>/etc/rsyslog.conf [root@student ~]# tail -1 /etc/rsyslog.conf local2.debug /var/log/sudo.log [root@student ~]#echo “local2.debug /var/log/sudo.log” >>/etc/rsyslog.conf
重啓rsyslog服務
[root@student ~]# /etc/init.d/rsyslog restart 關閉系統日誌記錄器: [確定] 啓動系統日誌記錄器: [確定] [root@student ~]#
測試:
[root@student ~]# su - lucy [lucy@student ~]$ sudo -l [sudo] password for lucy: 匹配此主機上 lucy 的默認條目: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin 用戶 lucy 可以在該主機上運行以下命令: (ALL) /bin/cat, /bin/cat, /bin/ls, /bin/vi, /bin/cp, /bin/rm, /bin/su [lucy@student ~]$ mv /tmp/services / mv: 無法將"/tmp/services" 移動至"/services": 不允許的操作 [lucy@student ~]$ sudo mv /tmp/services / 對不起,用戶 lucy 無權以 root 的身份在 student 上執行 /bin/mv /tmp/services /。 [lucy@student ~]$ [lucy@student ~]$ cat /var/log/sudo.log cat: /var/log/sudo.log: 權限不夠 [lucy@student ~]$ sudo cat /var/log/sudo.log Nov 19 04:35:53 : lucy : 命令禁止使用 ; TTY=pts/1 ; PWD=/home/lucy ; USER=root ; COMMAND=/usr/sbin/visudo Nov 19 04:36:22 : lucy : 命令禁止使用 ; TTY=pts/1 ; PWD=/home/lucy ; USER=root ; COMMAND=/bin/touch /a.txt Nov 19 04:37:26 : tom : 命令禁止使用 ; TTY=pts/1 ; PWD=/home/tom ; USER=root ; COMMAND=/sbin/ifconfig Nov 19 04:37:40 : tom : TTY=pts/1 ; PWD=/home/tom ; USER=root ; COMMAND=list [lucy@student ~]$
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3)日誌集中管理
1)rsync+inotify或定時任務+rsync,推到日誌管理服務器上,10.0.0.7_20120309.sudo.log
2)syslog服務來處理
添加hosts解析
[root@MySQL-A~]#echo "10.10.10.1 logserver">>/etc/hosts
#日誌服務器地址
[root@MySQL-A~]#echo "*.info @logserver">>/etc/syslog.conf<<====適合所有日誌推走
3)日誌收集解決方案scribe、Flume、logstash、stom