1.检查sudo与syslog服务
centos [root@xiaoyuer ~]# rpm -qa|grep sudo sudo-1.8.6p3-24.el6.x86_64 [root@xiaoyuer ~]# rpm -qa|grep syslog rsyslog-5.8.10-10.el6_6.x86_64 ubuntu root@host1:~# dpkg -l |egrep 'sudo|syslog' ii rsyslog 7.4.4-1ubuntu2.7 amd64 reliable system and kernel logging daemon ii sudo 1.8.9p5-1ubuntu1.4 amd64 Provide limited super user privileges to specific users root@host1:~#
2.检查是否安装两种服务,如果没有安装,就使用下面的命令进行安装
yum install sudo -y yum install rsyslog -y
apt-get install sudo rsyslog -y
备注:Centos 5.x 为syslog,Centos 6.x 为rsyslog
3.配置服务
#创建日志目录 mkdir -p /var/log/ #查看日志环境 [root@xiaoyuer ~]# uname -r 2.6.32-642.6.2.el6.x86_64 [root@xiaoyuer ~]# cat /etc/redhat-release CentOS release 6.8 (Final) root@host1:~# cat /etc/issue Ubuntu 14.04.5 LTS l root@host1:~# uname -r 4.4.0-93-generic #服务器环境为centos 6.8 所以syslog日志配置文件为/etc/rsyslog.conf echo "local2.debug /var/log/sudo.log">>/etc/rsyslog.conf tail -1 /etc/rsyslog.conf #local2.debug /var/log/sudo.log #注意:如果服务器为centos 5.x 所以syslog日志配置文件为/etc/syslog.conf(配置) #echo "local2.debug /var/log/sudo.log">>/etc/syslog.conf #echo "Defaults logfile=/var/log/sudo.log">>/etc/sudoers #配置/etc/sudoers echo "Defaults logfile=/var/log/sudo.log">>/etc/sudoers tail -1 /etc/sudoers #Defaults logfile=/var/log/sudo.log visudo -c #重启服务 [root@xiaoyuer ~]# service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ]
4、测试审计结果
[root@xiaoyuer ~]# sudo ls elasticsearch-5.6.3 elasticsearch-5.6.3.zip energy_saving_products.sql master.zip mysql-5.7.22-winx64.zip zabbix3.0.9_yum.tar.gz [root@xiaoyuer ~]# cat /var/log/sudo.log Jul 31 14:59:20 : root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/ls