1.创建用户
[root@greymouster ~]# for user in chuji001 chuji002 chuji003 net001 senior001 manager001
> do
> useradd $user
> echo "111111"|passwd --stdin $user
> done
2.创建5个开发人员属于phpers 和一个开发经理
[root@greymouster ~]# groupadd -g 999 phpers
[root@greymouster ~]# for n in `seq 5`
> do
> useradd -g phpers php00$n
> echo "111111" |passwd --stdin php00$n
> done
[root@greymouster ~]# for user in kaifamanager001 seniorphpers
> do
> useradd $user
> echo "111111"|passwd --stdin $user
> done
3.给用户添加权限
[root@greymouster ~]# visudo
#在末尾处添加如下:
##Cmnd_Alias by greymouster##2017
Cmnd_Alias CY_CMD_1 = /usr/bin/free,/usr/bin/iostat,/usr/bin/top,/bin/hostname,\
/sbin/ifconfig,
Cmnd_Alias GY_CMD_1 = /usr/bin/free,/usr/bin/iostat,/usr/bin/top,/bin/hostname,\
/sbin/ifconfig,/bin/netstat,/sbin/route,/sbin/iptables,/etc/init.d/network,/bin/nice,\
/bin/kill,/usr/bin/kill,/usr/bin/killall,/bin/rpm,/usr/bin/up2date,/usr/bin/yum,\
/sbin/fdisk,/sbin/sfdisk,/sbin/parted,/sbin/partprobe,/bin/mount,/bin/umount
Cmnd_Alias CK_CMD_1 = /usr/bin/tail /app/log*,/bin/grep /app/log*,/bin/cat,/bin/ls
Cmnd_Alias GK_CMD_1 = /sbin/service,/sbin/chkconfig,/bin/tail /app/log*,/bin/cat,\
/bin/grep /app/log*,/bin/ls,/bin/sh ~/scripts/deploy.sh
Cmnd_Alias GW_CMD_1 = /sbin/route,/sbin/ifconfig,/bin/ping,/sbin/dhclient,\
/usr/bin/net,/sbin/iptables,/usr/bin/rfcomm,/usr/bin/wvdial,/sbin/iwconfig,/sbin/mii-tool,/bin/cat \
/var/log/*
##User_Alias by greymouster##2017
User_Alias CHUJIADMINS = chuji001,chuji002,chuji003
User_Alias GWNETADMINS = net001
User_Alias CHUJI_KAIFA = %phpers
##Runas_Alias by greymouster##2017
Runas_Alias OP=root
#pri config
senior001 ALL=(OP) GY_CMD_1
manager001 ALL=(ALL) NOPASSWD:ALL
kaifamanager001 ALL=(ALL) ALL, /usr/bin/passwd [A-Za-z]*,!/usr/bin/passwd root,\
!/usr/sbin/visudo,!/usr/bin/vi *sudoer*
seniorphpers ALL=(OP) GK_CMD_1
CHUJIADMINS ALL=(OP) CY_CMD_1
GWNETADMINS ALL=(OP) GW_CMD_1
CHUJI_KAIFA ALL=(OP) CK_CMD_1
4.测试
[root@greymouster ~]# tail -10 /etc/passwd
net001:x:506:506::/home/net001:/bin/bash
senior001:x:507:507::/home/senior001:/bin/bash
manager001:x:508:508::/home/manager001:/bin/bash
php001:x:509:999::/home/php001:/bin/bash
php002:x:510:999::/home/php002:/bin/bash
php003:x:511:999::/home/php003:/bin/bash
php004:x:512:999::/home/php004:/bin/bash
php005:x:513:999::/home/php005:/bin/bash
kaifamanager001:x:514:514::/home/kaifamanager001:/bin/bash
seniorphpers:x:515:515::/home/seniorphpers:/bin/bash
[root@greymouster ~]# su - chuji001
[chuji001@greymouster ~]$ whoami
chuji001
[chuji001@greymouster ~]$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for chuji001:
匹配此主机上 chuji001 的默认条目:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
用户 chuji001 可以在该主机上运行以下命令:
(root) /usr/bin/free, /usr/bin/iostat, /usr/bin/top, /bin/hostname, /sbin/ifconfig
[chuji001@greymouster ~]$ useradd kkk
-bash: /usr/sbin/useradd: 权限不够
[chuji001@greymouster ~]$ sudo hostname
greymouster
5.通过sudo和syslog配合实现对所有用户进行日志审计并将记录集中管理
1)安装sudo命令.syslog服务(centos6.4为rsyslog服务)
[root@greymouster ~]# rpm -qa|egrep "sudo|rsyslog"
sudo-1.8.6p3-12.el6.x86_64
rsyslog-5.8.10-8.el6.x86_64
//如果没有安装则执行下面的命令
yum install sudo rsyslog -y
2)配置/etc/sudoers
[root@greymouster ~]# echo "Defaults logfile=/var/log/sudo.log">>/etc/sudoers
[root@greymouster ~]# tail -1 /etc/sudoers
Defaults logfile=/var/log/sudo.log
[root@greymouster ~]# visudo -c
/etc/sudoers:解析正确
3)配置系统日志/etc/rsyslog.conf
[root@greymouster ~]# echo 'local2.debug /var/log/sudo.log' >> /etc/rsyslog.conf
[root@greymouster ~]# /etc/init.d/rsyslog restart
关闭系统日志记录器: [确定]
启动系统日志记录器: [确定]
[root@greymouster ~]# ll /var/log/sudo.log
-rw-------. 1 root root 0 3月 28 01:50 /var/log/sudo.log
[root@greymouster ~]#
4)测试
[root@greymouster ~]# su - chuji001
[chuji001@greymouster ~]$ sudo -l
[chuji001@greymouster ~]$ sudo useradd kkk
//切换到root下
[root@greymouster ~]# cat /var/log/sudo.log
Mar 28 01:54:28 : chuji001 : TTY=pts/0 ; PWD=/home/chuji001 ; USER=root ;
COMMAND=list
Mar 28 01:54:44 : chuji001 : 命令禁止使用 ; TTY=pts/0 ; PWD=/home/chuji001 ;
USER=root ; COMMAND=/usr/sbin/useradd kkk
日志收集解决方案 stom,flume,scribe,logstash