Linux运维人员共用root帐户权限审计

一、应用场景

在中小型企业，公司不同运维人员基本都是以root 账户进行服务器的登陆管理，缺少了账户权限审计制度。不出问题还好，出了问题，就很难找出源头。

这里介绍下，如何利用编译bash 使不同的客户端在使用root 登陆服务器使，记录各自的操作，并且可以在结合ELK 日志分析系统，来收集登陆操作日志

二、环境

服务器：centos 6.5、Development tools、使用密钥认证，SElinux 关闭。

客户端：生成密钥对，用于登录服务器 （2台）

三、搭建部署

服务器操作 : 192.168.1.11

客户机操作 : 192.168.1.71

客户机操作 : 192.168.1.72

1、下载编译bash

mkdir -pv /mydata/softwarecd /mydata/softwareyum -y install wgetwget http://ftp.gnu.org/gnu/bash/bash-4.1.tar.gz

[root@bogon software]# tar zxf bash-4.1.tar.gz [root@bogon software]# cd bash-4.1[root@bogon bash-4.1]#

2、 先修改下 config-top.h文件,大概91行、104行，由于c 语言中 注释是/**/ ，所以不要删除错了。修改如下：

 [root@bogon bash-4.1]# vim config-top.h 91 /* #define SSH_SOURCE_BASHRC */  #去注释 92  93 /* Define if you want the case-capitalizing operators (~[~]) and the 94    `capcase' variable attribute (declare -c). */ 95 #define  CASEMOD_CAPCASE 96  97 /* This is used as the name of a shell function to call when a command 98    name is not found.  If you want to name it something other than the 99    default ("command_not_found_handle"), change it here. */100 /* #define NOTFOUND_HOOK "command_not_found_handle" */101 102 /* Define if you want each line saved to the history list in bashhist.c:103    bash_add_history() to be sent to syslog(). */104 /* #define SYSLOG_HISTORY */  #去注释

3 修改下bashhist.c 文件，让终端上的命令记录到系统messages 中，并且以指定的格式。并传入获得的变量。修改后的内容如下：（将701-715内容替换为下面内容）

voidbash_syslog_history (line)    const char *line;{  char trunc[SYSLOG_MAXLEN];    const char *p;    p = getenv("NAME_OF_KEY");  if (strlen(line) < SYSLOG_MAXLEN)    syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY: PID=%d PPID=%d SID=%d  User=%s USER=%s CMD=%s", getpid(), getppid(), getsid(getpid()),  current_user.user_name, p, line);  else    {      strncpy (trunc, line, SYSLOG_MAXLEN);      trunc[SYSLOG_MAXLEN - 1] = ' ';      syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY (TRUNCATED): PID=%d  PPID=%d SID=%d User=%s USER=%s CMD=%s", getpid(), getppid(), getsid(getpid()), current_user.user_name, p, trunc);    }}

4 配置安装路径，编译安装，编译到/usr/local/目录下

[root@bogon bash-4.1]# ./configure --prefix=/usr/local/bash_new[root@bogon bash-4.1]# make && make installif test "bash" = "gettext-tools"; then \      /bin/sh /mydata/software/bash-4.1/./support/mkinstalldirs /usr/local/bash_new/share/gettext/po; \      for file in Makefile.in.in remove-potcdate.sin quot.sed boldquot.sed en@quot.header en@boldquot.header insert-header.sin Rules-quot   Makevars.template; do \        /usr/bin/install -c -m 644 ./$file \                /usr/local/bash_new/share/gettext/po/$file; \      done; \      for file in Makevars; do \        rm -f /usr/local/bash_new/share/gettext/po/$file; \      done; \    else \      : ; \    fimake[1]: Leaving directory `/mydata/software/bash-4.1/po'

5、编译完成后，将新的bash 追加到 /etc/shells 中，并修改root用户的登陆shell 环境为新编译的shell

[root@bogon bash-4.1]# echo "/usr/local/bash_new/bin/bash" >> /etc/shells [root@bogon bash-4.1]# cat !$cat /etc/shells/bin/sh/bin/bash/sbin/nologin/bin/dash/usr/local/bash_new/bin/bash

[root@bogon bash-4.1]# vim /etc/passwdroot:x:0:0:root:/root:/usr/local/bash_new/bin/bash

6、注销当前root用户，重新登陆后，查看/var/log/messages，如下就可以看到记录了操作命令

Nov  8 11:17:24 localhost -bash: HISTORY: PID=11723 PPID=11721 SID=11723  User=root USER=(null) CMD=cd /mydata/
Nov  8 11:17:26 localhost -bash: HISTORY: PID=11723 PPID=11721 SID=11723  User=root USER=(null) CMD=mkdir test
Nov  8 11:17:28 localhost -bash: HISTORY: PID=11723 PPID=11721 SID=11723  User=root USER=(null) CMD=cd test/
Nov  8 11:17:32 localhost -bash: HISTORY: PID=11723 PPID=11721 SID=11723  User=root USER=(null) CMD=touch a.txt
Nov  8 11:17:41 localhost -bash: HISTORY: PID=11723 PPID=11721 SID=11723  User=root USER=(null) CMD=echo “wgli.vip” > a.txt

[root@bogon ~]# ssh-keygen -t rsa -C “root@zhangsan-71”
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory ‘/root/.ssh’.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
26:8e:47:f2:c3:c2:3f:02:5b:33:8a:34:13:fa:7f:43 root@zhangsan-71
The key’s randomart image is:
+–[ RSA 2048]—-+
|                 |
|                 |
|                 |
| .               |
|. . . o S        |
|.+..+BEo         |
|.oo=++          |
|. + .++.         |
|   ..o.o         |
+—————–+

[root@bogon ~]# ssh-copy-id -i .ssh/id_rsa.pub root@192.168.1.11
The authenticity of host ‘192.168.1.11 (192.168.1.11)’ can’t be established.
RSA key fingerprint is d8:b1:ae:96:11:e7:15:c0:78:61:9b:45:75:ad:f2:22.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.1.11’ (RSA) to the list of known hosts.
reverse mapping checking getaddrinfo for bogon [192.168.1.11] failed - POSSIBLE BREAK-IN ATTEMPT!
root@192.168.1.11’s password:
Now try logging into the machine, with “ssh ‘root@192.168.1.11’”, and check in:

  .ssh/authorized_keys

to make sure we haven’t added extra keys that you weren’t expecting.

[root@bogon ~]# ssh-keygen -t rsa -C “root@lisi-72”
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory ‘/root/.ssh’.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
e7:78:33:ce:a5:45:cd:01:da:ca:9d:f9:67:32:ed:41 root@lisi-72
The key’s randomart image is:
+–[ RSA 2048]—-+
|            .    |
|           o .   |
|          . . .  |
|         . o = . |
|        S + = oE |
|         + . … |
|        . = o +.+|
|         +    *.|
|          +     .|
+—————–+

[root@bogon ~]# ssh-copy-id -i .ssh/id_rsa.pub root@192.168.1.11
The authenticity of host ‘192.168.1.11 (192.168.1.11)’ can’t be established.
RSA key fingerprint is d8:b1:ae:96:11:e7:15:c0:78:61:9b:45:75:ad:f2:22.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.1.11’ (RSA) to the list of known hosts.
reverse mapping checking getaddrinfo for bogon [192.168.1.11] failed - POSSIBLE BREAK-IN ATTEMPT!
root@192.168.1.11’s password:
Now try logging into the machine, with “ssh ‘root@192.168.1.11’”, and check in:

  .ssh/authorized_keys

to make sure we haven’t added extra keys that you weren’t expecting.

[root@walle ~]# cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzoD5xJmYGawtoKC3vv337K2UoIw1EAwn8XDE0aJVgckBZNH36Vhs1M/6KgRfdLBtVzqnFMw7c9qAxlpoy3q5/3ajcmMeVwKETEJqD5gHQYZ0dGv/rktRWoochCi7WTEJq1M0aqE8GaMKxHVW0+SBLP1pw7pEh5UtwQsJ/JcoKNR3GRfO3I1OYBTrvTG+IRxq7xCsoFKPsZYgsHw20fVscgwRINFgY5gDKxAxiobMQUSyy5ZYvrqutYNTWZIrzbfMUi3PvmcQswOBGCyTGYgxm/5CG4lhsdUfcpR6OrrxKJs0/YHuUkLbb/wAPuz1DpSFSrBfC77X10IxTREIqZFUvw== root@zhangsan-71
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwoBXpTUJ1Z5Dbu+hywdcimeRwemnl8TON1lCtn5o7c9phcAcgxK4qoDiyncmrMztVwmezJJxum0sMqUlJHipdwPQJUaGb0Xu3JVNRUTz8KcpTitRjcZaMqOgS/UA9ltq1cmEqHhDPbyU+zZZfe115t5K0WJgg2hsKqgJVep/RX96jTC+iGMKUSkvQRZBbVz86shxZUBdfIjh08afwC+SeqrJQ3IRAqwX1xWkWYrKW42V+5kS0g6wIBpI/1nM0yKl0KqE8cj9qF+kiXK9rUJqOVg5q6YudQyVmQX1uyrYXtO3REYETi2ki2owKWorDebs7yZkQjba1dvTvOle8syqdQ== root@lisi-72

[root@walle ~]# touch /var/log/keys

[root@walle ~]# cat /etc/CheckUser.sh
#!/bin/bash
#conding:utf-8
pid=$PPID
#在自己home目录得到所有的key，如果/var/log/keys 没有的时候，添加进去
while read line
do
grep “$line” /var/log/keys >/dev/null || echo “$line” >> /var/log/keys
done < $HOME/.ssh/authorized_keys
#得到每个key的指纹
cat /var/log/keys | while read LINE
do
NAME=$(echo $LINE | awk ‘{print $3}’)
echo $LINE >/tmp/keys.log.$pid
KEY=$(ssh-keygen -l -f /tmp/keys.log.$pid | awk ‘{print $2}’)
grep “$KEY $NAME” /var/log/ssh_key_fing >/dev/null || echo “$KEY $NAME” >> /var/log/ssh_key_fing
done
#如果是root用户，secure文件里面是通过PPID号验证指纹
if [ $UID == 0 ]
then
ppid=$PPID
else
#如果不是root用户，验证指纹的是另外一个进程号
ppid=/bin/ps -ef | grep $PPID |grep 'sshd:' |awk '{print $3}'
fi
#得到RSA_KEY和NAME_OF_KEY，用来bash4.1得到历史记录
RSA_KEY=/bin/egrep 'Found matching RSA key' /var/log/secure | /bin/egrep "$ppid" | /bin/awk '{print $NF}' | tail -1
if [ -n “$RSA_KEY” ];then
NAME_OF_KEY=/bin/egrep "$RSA_KEY" /var/log/ssh_key_fing | /bin/awk '{print $NF}'
fi
#把NAME_OF_KEY设置为只读
readonly NAME_OF_KEY
export NAME_OF_KEY
/bin/rm /tmp/keys.log.$pid

[root@walle ~]# echo “test -f /etc/CheckUser.sh && . /etc/CheckUser.sh” >> /etc/profile

[root@walle ~]# tail -1f /etc/bashrc
test -z “$BASH_EXECUTION_STRING” || { test -f /etc/CheckUser.sh && . /etc/CheckUser.sh; logger -t -bash -s “HISTORY $SSH_CLIENT USER=$NAME_OF_KEY CMD=$BASH_EXECUTION_STRING “ >/dev/null 2>&1;}

[root@walle ~]# sed -i ‘s/#LogLevel INFO/LogLevel DEBUG/g’ /etc/ssh/sshd_config
[root@walle ~]# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]

Nov  8 17:33:45 walle -bash: HISTORY: PID=10371 PPID=10369 SID=10371  User=root USER=root@zhangsan-71 CMD=cd /mydata/software/
Nov  8 17:33:52 walle -bash: HISTORY: PID=10371 PPID=10369 SID=10371  User=root USER=root@zhangsan-71 CMD=mkdir a.txt
Nov  8 17:33:55 walle -bash: HISTORY: PID=10371 PPID=10369 SID=10371  User=root USER=root@zhangsan-71 CMD=ls -lh a.txt/
Nov  8 17:34:05 walle -bash: HISTORY: PID=10371 PPID=10369 SID=10371  User=root USER=root@zhangsan-71 CMD=echo AA > a.txt/

Nov  8 17:35:49 walle -bash: HISTORY: PID=10438 PPID=10436 SID=10438  User=root USER=root@lisi-72 CMD=cd /mydata/software/
Nov  8 17:35:51 walle -bash: HISTORY: PID=10438 PPID=10436 SID=10438  User=root USER=root@lisi-72 CMD=rm -rf a.txt/