1)sudo用户权限集中管理1.分析业务需求根据业务不同,区分不通权限
| 初级运维 | tom |
| 高级运维 | lucy |
| 运维经理 | stven |
| 初级开发 | john |
| 开发经理 | jie |
| 网络工程师 | san |
2.权限分类(示例)
| 初级运维 | /bin/cat,/bin/ls,/usr/bin/top |
| 高级运维 | /bin/cat,/bin/cat,/bin/ls,/bin/vi,/bin/cp,/bin/rm,/bin/su |
| 运维经理 | all |
| 初级开发 | /bin/cat,/bin/ls |
| 开发经理 | All,/usr/bin/passwd,!/usr/bin/passwd root,!/bin/vi /etc/sudoers,!/usr/bin/vim /etc/sudoers |
| 网络工程师 | /sbin/ifconfig |
3.用户别名# User_Alias ADMINS = jsmith, mikem
| CHUJI_YUNWEI | tom |
| GAOJI_YUNWEI | lucy |
| SAMANAGER | stven |
| CHUJI_KAIFA | john |
| SOFTMANAGER | jie |
| NETWORK | san |
User_Alias CHUJI_YUNWEI = tomUser_Alias GAOJI_YUNWEI = lucyUser_Alias SAMANAGER = stvenUser_Alias CHUJI_KAIFA = johnUser_Alias SOFTMANAGER = jieUser_Alias NETWORK = san4.命令别名注意一行命令没写完,要用“\”转接到下一行接续Cmnd_Alias CHUJI_YUNWEI_CMD = /bin/cat,/bin/ls,/usr/bin/topCmnd_Alias GAOJI_YUNWEI_CMD= /bin/cat,/bin/cat,/bin/ls,/bin/vi,/bin/cp,/bin/rm,/bin/suCmnd_Alias SAMANAGER_CMD = allCmnd_Alias CHUJI_KAIFA_CMD = /bin/cat,/bin/lsCmnd_Alias SOFTMANAGER_CMD = All,/usr/bin/passwd,\!/usr/bin/passwd root,!/bin/vi /etc/sudoers,!/usr/bin/vim /etc/sudoersCmnd_Alias NETWORK_CMD = /sbin/ifconfig 5.主机别名Host_Alias SERVER = student 6.编辑/etc/sudoers授权[root@student ~]# visudoCHUJI_YUNWEI ALL=(ALL) CHUJI_YUNWEI_CMDGAOJI_YUNWEI ALL=(ALL) GAOJI_YUNWEI_CMDSAMANAGER ALL=(ALL) SAMANAGER_CMDCHUJI_KAIFA ALL=(SERVER) CHUJI_KAIFA_CMDSOFTMANAGER ALL=(SERVER) SOFTMANAGER_CMDNETWORK ALL=(ALL) NETWORK_CMD 实战操作: 1)将以下内容追加到/etc/sudoer文件中
sudo -l 可以查看当前用户下的sudu命令权限
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2)Sudo日志审计
安装sudo和rsyslog服务
没有的话可以yum install rsyslog -y
创建sudo日志文件
重启rsyslog服务
测试:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3)日志集中管理1)rsync+inotify或定时任务+rsync,推到日志管理服务器上,10.0.0.7_20120309.sudo.log2)syslog服务来处理添加hosts解析
#日志服务器地址
3)日志收集解决方案scribe、Flume、logstash、stom
本文出自 “
秦仙儿” 博客,请务必保留此出处
http://youdong.blog.51cto.com/3562886/1719639
