介紹linux下利用編譯bash設置root帳號共用的權限審計設置

 

在平常運維工做中，公司不一樣人員（通常是運維人員）共用root帳號登陸linux服務器進行維護管理，在不健全的帳戶權限審計制度下，一旦出現問題，就很難找出源頭，甚是麻煩！
在此，介紹下利用編譯bash使不一樣人員在使用root帳號登錄服務器後，能記錄各自的操做，而且能夠結合ELK日誌分析系統收集登錄操做日誌。

廢話很少說！下面分享下操做記錄：

服務器ip：192.168.1.180

首先是編譯bash
[root@dev ~]# cd /usr/local/src/
[root@dev src]# wget http://ftp.gnu.org/gnu/bash/bash-4.1.tar.gz
[root@dev src]# tar -zvxf bash-4.1.tar.gz

先修改下config-top.h文件,大概91行、104行，因爲c 語言中註釋是/* */ ，因此不要刪除錯了!刪除下面第91和104行內容先後的/* */註釋符！
確保修改以下：
[root@dev bash-4.1]# vim config-top.h
......
91   #define SSH_SOURCE_BASHRC
......
104 #define SYSLOG_HISTORY

修改下bashhist.c 文件，讓終端上的命令記錄到系統messages 中，而且以指定的格式。並傳入得到的變量。
確保下面的內容修改後以下：
[root@dev bash-4.1]# vim bashhist.c
......
void
bash_syslog_history (line)
const char *line;
{
char trunc[SYSLOG_MAXLEN];
const char *p;
p = getenv("NAME_OF_KEY");
if (strlen(line) < SYSLOG_MAXLEN)
syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY: PID=%d PPID=%d SID=%d User=%s USER=%s CMD=%s", getpid(), getppid(), getsid(getpid()), current_user.user_name, p, line);
else
{
strncpy (trunc, line, SYSLOG_MAXLEN);
trunc[SYSLOG_MAXLEN - 1] = ' ';
syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY (TRUNCATED): PID=%d PPID=%d SID=%d User=%s USER=%s CMD=%s", getpid(), getppid(), getsid(getpid()), current_user.user_name, p, trunc);
}
}

接着繼續編譯安裝，編譯到/usr/local/目錄下。

[root@dev bash-4.1]# ./configure --prefix=/usr/local/bash_new
[root@dev bash-4.1]# make && make install
...............
if test "bash" = "gettext-tools"; then \
/bin/sh /usr/local/src/bash-4.1/./support/mkinstalldirs /usr/local/bash_new/share/gettext/po; \
for file in Makefile.in.in remove-potcdate.sin quot.sed boldquot.sed en@quot.header en@boldquot.header insert-header.sin Rules-quot Makevars.template; do \
/usr/bin/install -c -m 644 ./$file \
/usr/local/bash_new/share/gettext/po/$file; \
done; \
for file in Makevars; do \
rm -f /usr/local/bash_new/share/gettext/po/$file; \
done; \
else \
: ; \
fi
make[1]: Leaving directory `/usr/local/src/bash-4.1/po'

[root@dev bash-4.1]# ll /usr/local/bash_new/bin/
總用量 2784
-rwxr-xr-x 1 root root 2838951 10月 17 18:44 bash
-r-xr-xr-x 1 root root 6837 10月 17 18:44 bashbug

編譯完成後，追加新的bash到/etc/shells 中，並修改root用戶的登錄shell環境爲新編譯的shell。
以下：
[root@dev bash-4.1]# echo "/usr/local/bash_new/bin/bash" >> /etc/shells
[root@dev bash-4.1]# cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/bin/dash
/bin/tcsh
/bin/csh
/usr/local/bash_new/bin/bash
[root@dev bash-4.1]#

替換root帳號的bash環境

[root@dev bash-4.1]# cat /etc/passwd|grep "root:/root"
root:x:0:0:root:/root:/bin/bash
[root@dev bash-4.1]# sed -i 's#root:/root:/bin/bash#root:/root:/usr/local/bash_new/bin/bash#g' /etc/passwd
[root@dev bash-4.1]# cat /etc/passwd|grep "root:/root"
root:x:0:0:root:/root:/usr/local/bash_new/bin/bash

註銷當前root用戶，從新登錄後，查看/var/log/messages，以下就能夠看到記錄了操做命令：
[root@dev bash-4.1]# who
root tty1 2016-09-27 23:16 (:0)
root pts/0 2016-10-17 19:11 (192.168.9.155)
[root@dev bash-4.1]# pkill -kill -t pts/0

從新登陸該機器，查看/var/log/messages，以下就能夠看到記錄了操做命令。
下面第4段dev -bash是這臺服務器的主機名。這樣之後就能根據messages文件裏的日誌信息，知道這臺機器在root帳號下的全部操做了！
[root@dev ~]# tail -2f /var/log/messages
Oct 17 19:12:46 dev -bash: HISTORY: PID=7718 PPID=7716 SID=7718 User=root USER=(null) CMD=pkill -kill -t pts/0
Oct 17 19:13:30 dev -bash: HISTORY: PID=7864 PPID=7862 SID=7864 User=root USER=(null) CMD=tail -2f /var/log/messages

-----------------------------------------------------------------------------

下面開始進行客戶端的配置：

兩臺客戶機：
elk-node1和elk-node2，兩臺客戶機上分別生成root用戶下的公私鑰，生成公私鑰時最好-C加上用戶名，以便於辨別！
客戶機elk-node1的用戶名是wangshibo，ip是192.168.1.160
客戶機elk-node2的用戶名是guohuihui，ip是192.168.1.161

1）客戶機elk-node1上操做。注意：-C 後面的辨別參數也能夠用ip，好比-C 「root@192.168.1.160",只是爲了ssh遠程登陸後能識別來源
[root@elk-node1 ~]# ssh-keygen -t rsa -C "root@wangshibo"
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
a9:a4:cc:3b:99:bf:68:a7:3d:fd:19:ef:f9:dd:2a:07 root@wangshibo
The key's randomart image is:
+--[ RSA 2048]----+
| |
| |
| |
| . |
| . S |
| o o . E |
| +o.. . . |
| =+o . +.....|
| .+=+o .o.++o.o|
+-----------------+

將公鑰上傳到上面的機器192.168.1.180上
[root@elk-node1 ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@192.168.1.180
The authenticity of host '192.168.1.180 (192.168.1.180)' can't be established.
RSA key fingerprint is 3e:62:70:61:c1:90:ce:f3:25:85:28:f9:e1:86:dc:ac.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.1.180's password:

Number of key(s) added: 1

Now try logging into the machine, with: "ssh 'root@192.168.1.180'"
and check to make sure that only the key(s) you wanted were added.

--------------------------------------------------------------------------------
-t 加密算法
-C 註釋 （加上這個也是爲了最後進行對服務器訪問人員進行辨別的一個關鍵點）

將公鑰上傳到服務器上的.ssh/authorized_keys 文件中。
ssh-copy-id 命令會自動在服務器上建立.ssh/authorized_keys文件，即便該目錄不存在，並自動賦予600權限。
--------------------------------------------------------------------------------

測試，已經能夠無密碼登錄了~
[root@elk-node1 ~]# ssh root@192.168.1.180
Last login: Mon Oct 17 19:42:58 2016 from 192.168.1.7
[root@dev ~]#

2）客戶機elk-node2上操做：
[root@elk-node2 ~]# ssh-keygen -t rsa -C "root@guohuihui"
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
fe:ac:7c:3e:05:4d:c1:86:f0:30:6b:a6:8e:b6:d6:22 root@guohuihui
The key's randomart image is:
+--[ RSA 2048]----+
| +. o.. |
| =. + |
| + .+ |
| + . . |
| . S . |
| o . . |
| o.. . . |
| E.o... oo |
| o.. o++. |
+-----------------+

將公鑰上傳到上面的機器192.168.1.180上
[root@elk-node2 ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@192.168.1.180
The authenticity of host '192.168.1.180 (192.168.1.180)' can't be established.
RSA key fingerprint is 3e:62:70:61:c1:90:ce:f3:25:85:28:f9:e1:86:dc:ac.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.1.180's password:

Number of key(s) added: 1

Now try logging into the machine, with: "ssh 'root@192.168.1.180'"
and check to make sure that only the key(s) you wanted were added.

測試，已經能夠無密碼登錄了~
[root@elk-node2 ~]# ssh root@192.168.1.180
Last login: Mon Oct 17 19:52:02 2016 from 192.168.1.160
[root@dev ~]#

3）登錄到192.168.1.180上查看
[root@dev ~]# cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA3BA2e9bJDGfn80IYKn0RypviBYzYm7lpfexD8nneZ2p6Cd+7Y4xVxqqzemKj4/NB2ak8YGzvUV2kdhu53x9MTRNk03S+Cz1gbK8OzIoXF8qJmWg34Cf8pZDMkzYyTFlt1oc+meKMI1eZjTsOekosmiHj9nGXbe62BWpRY0syRDpdVUWyNhQs1nn37Cwlwy74eJLida1bvKsGSDs1/wjhtl59YtOOLOveitCurQRosxZrA/jsB7kGT8IENkEdI7JTIrHpAIhmGzpKVUP0g8CS5fox0NImem3c0qp2sJz5tLztnAjA+MTJCopI0XzWiYtsoIEbLZtjObvtoBrDMd6uaQ== root@localhost.localdomain
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZIR4RDrioJtBLXDCU2P4AhhzY4erpuWQ5cOKEIB6AAZ2qF3HtcvrhWofF+sJJBaEsEaGo2eV9NY2nVJmr2VhWzb0t2brh21PHCAKKT/qOtllgEY6T9EVoIaYfLuybGFxSNERmCSCs61yOxRvOdcSrdymM0o1OMzQICLjESLVPg0drhAhePvXFNFW+9BZwbnzhkh9jJTY6Lsi44QgDFUKFzAfXtUlPtAbeLYPmSvdXtcT1LRR80Fp+/z3U4FZ7EYX6bFFySkp1HIkGZF87MuM/ndjMHDBqc1FQdORltkT41AjWqoW8Ak8TWzgXMGp0v6JfqCYW+HjmIX4JDJ9mUB+D root@wangshibo
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdY1F1LQH7FTX6cnrvli+O1RIk67BT60PiCR3k7xuQxfBYqE7C1FNLKjlbDXceenU4WleZqVB9n008E7cpm+BR2l9uDUay9jKg3OQej/270emRA3dWUtsW9P3d/66LEVBMQjBgh0XNUsfDhctAwJSsXhxacwKyou1/2tsudFmeSaHqEgOyeFLdKWf76XV5tErzUnws2AOKjM8HOrctyECjajSHS9IhUJaYrY7vePMNZBCbK401iI1lEqb4TQ+j/SdVOrFo6qMPYaFHwyYiv7kYCt7r1SQlwkpnrMr8V88ZFC1pa8ZPiPEyfii9HoMyID2VVUl3G+pas9NRkJ+6Bd+T root@guohuihui

在log目錄下建立一個 keys 文件，用於登錄時存進去公鑰，以後對其進行取出判斷的

[root@dev ~]# touch /var/log/keys

建立檢測腳本，內容以下:

[root@dev ~]# cat /etc/CheckUser.sh
#!/bin/bash
#conding:utf-8
pid=$PPID
#在本身home目錄獲得全部的key，若是/var/log/keys 沒有的時候，添加進去
while read line
do
grep "$line" /var/log/keys >/dev/null || echo "$line" >> /var/log/keys
done < $HOME/.ssh/authorized_keys
#獲得每一個key的指紋
cat /var/log/keys | while read LINE
do
NAME=$(echo $LINE | awk '{print $3}')
echo $LINE >/tmp/keys.log.$pid
KEY=$(ssh-keygen -l -f /tmp/keys.log.$pid | awk '{print $2}')
grep "$KEY $NAME" /var/log/ssh_key_fing >/dev/null || echo "$KEY $NAME" >> /var/log/ssh_key_fing
done
#若是是root用戶，secure文件裏面是經過PPID號驗證指紋
if [ $UID == 0 ]
then
ppid=$PPID
else
#若是不是root用戶，驗證指紋的是另一個進程號
ppid=`/bin/ps -ef | grep $PPID |grep 'sshd:' |awk '{print $3}'`
fi
#獲得RSA_KEY和NAME_OF_KEY，用來bash4.1獲得歷史記錄
RSA_KEY=`/bin/egrep 'Found matching RSA key' /var/log/secure | /bin/egrep "$ppid" | /bin/awk '{print $NF}' | tail -1`
if [ -n "$RSA_KEY" ];then
NAME_OF_KEY=`/bin/egrep "$RSA_KEY" /var/log/ssh_key_fing | /bin/awk '{print $NF}'`
fi
#把NAME_OF_KEY設置爲只讀
readonly NAME_OF_KEY
export NAME_OF_KEY
/bin/rm /tmp/keys.log.$pid

 

配置 profile，在文件末尾添加一行內容，以下：
[root@dev ~]# echo "test -f /etc/CheckUser.sh && . /etc/CheckUser.sh" >> /etc/profile

在/etc/bashrc 末尾添加下面內容：
[root@dev ~]# tail -1f /etc/bashrc
test -z "$BASH_EXECUTION_STRING" || { test -f /etc/CheckUser.sh && . /etc/CheckUser.sh; logger -t -bash -s "HISTORY $SSH_CLIENT USER=$NAME_OF_KEY CMD=$BASH_EXECUTION_STRING " >/dev/null 2>&1;}

修改sshd 配置文件，開啓debug 模式，並重啓sshd 服務
[root@dev ~]# sed -i 's/#LogLevel INFO/LogLevel DEBUG/g' /etc/ssh/sshd_config
[root@dev ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]

-----------------------------------------------------
最後驗證下：
從兩臺客戶機跳轉到192.168.1.180上的操做是否能如實記錄下來！

1）從客戶機elk-node1上登錄192.168.1.180，並進行操做：
[root@elk-node1 ~]# ssh root@192.168.1.180
Last login: Mon Oct 17 19:55:29 2016 from 192.168.1.161
[root@dev ~]# touch /root/wangshibo
[root@dev ~]# echo 123 > /root/wangshibo
[root@dev ~]#

2）從客戶機elk-node2上登錄192.168.1.180，並進行操做：
[root@elk-node2 ~]# ssh root@192.168.1.180
Last login: Mon Oct 17 20:04:53 2016 from 192.168.1.160
[root@dev ~]# rm -f /root/wangshibo
[root@dev ~]# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@dev ~]#

3）去192.168.1.180服務器上，查看/var/log/messages日誌，發現兩臺客戶機登錄後的操做已經如實記錄下來了！
[root@dev ~]# tail -f /var/log/messages
Oct 17 19:54:00 dev -bash -bash: HISTORY 192.168.1.161 38886 22 USER= CMD=#012#011#011exec sh -c 'umask 077; mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1; if type restorecon >/dev/null 2>&1; then restorecon -F .ssh .ssh/authorized_keys; fi'
Oct 17 19:55:35 dev -bash -bash: HISTORY: PID=12919 PPID=12916 SID=12919 User=root USER=root@guohuihui CMD=cat /root/.ssh/authorized_keys
Oct 17 20:00:28 dev -bash -bash: HISTORY: PID=12582 PPID=12579 SID=12582 User=root USER=root@localhost.localdomain CMD= cat /etc/CheckUser.sh
Oct 17 20:01:47 dev -bash -bash: HISTORY: PID=12582 PPID=12579 SID=12582 User=root USER=root@localhost.localdomain CMD=cat /etc/profile
Oct 17 20:02:15 dev -bash -bash: HISTORY: PID=12582 PPID=12579 SID=12582 User=root USER=root@localhost.localdomain CMD=cat /etc/bashrc
Oct 17 20:04:58 dev -bash -bash: HISTORY: PID=13000 PPID=12997 SID=13000 User=root USER=root@wangshibo CMD=touch /root/wangshibo
Oct 17 20:05:04 dev -bash -bash: HISTORY: PID=13000 PPID=12997 SID=13000 User=root USER=root@wangshibo CMD=echo 123 > /root/wangshibo
Oct 17 20:06:04 dev -bash -bash: HISTORY: PID=13066 PPID=13063 SID=13066 User=root USER=root@guohuihui CMD=rm -f /root/wangshibo
Oct 17 20:06:13 dev -bash -bash: HISTORY: PID=13066 PPID=13063 SID=13066 User=root USER=root@guohuihui CMD=/etc/init.d/sshd restart
Oct 17 20:07:20 dev -bash -bash: HISTORY: PID=12582 PPID=12579 SID=12582 User=root USER=root@localhost.localdomain CMD=tail -f /var/log/messages

如上，能夠看出，不通用戶的客戶端經過公鑰登錄的方式，分辨出了誰操做了什麼，何時操做的。

經過這種方式，能極大的解決了多root用戶登錄操做後沒法審計的問題。
另外能夠結合日誌轉發，將系統日誌轉發到其它服務器，即便主機被黑了，也能具體的審查登錄時間以及作了哪些操做。