第14章 配置系統日志
環境配置
1、RHEL6.4 SERVER 10.10.10.221
2、RHEL6.4 CLIENT 10.10.10.223
1、配置基于TLS的日志加密
1)檢視日志服務狀态
[[email protected] ~]# service rsyslog status
rsyslogd (pid 2029) is running...
2)檢視/etc/rsyslog.conf配置檔案
$IncludeConfig /etc/rsyslog.d/*.conf ---跟rsyslog.conf配置檔案都可以寫到這個目錄下
2、關于日志
系統日志由syslogd提供
klogd解讀核心資訊并将其傳遞給syslogd(注意:這裡指的是RHEL5)
日志檔案示例
/var/log/dmesg ---核心引導資訊和硬體資訊
/var/log/messages ---标準系統出錯資訊
/var/log/maillog ---郵件系統資訊
/var/log/secure ---安全、認證和xinetd資訊
應用程式日志檔案和目錄也儲存在/var/log/messages
3、在RHEL6中可以使用lscpu來檢視CPU硬體資訊
[[email protected] ~]# lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 4
On-line CPU(s) list: 0-3
Thread(s) per core: 1
Core(s) per socket: 2
Socket(s): 2
NUMA node(s): 1
Vendor ID: GenuineIntel
CPU family: 6
Model: 60
Stepping: 3
CPU MHz: 2294.696
BogoMIPS: 4589.39
Hypervisor vendor: VMware
Virtualization type: full
L1d cache: 32K
L1i cache: 32K
L2 cache: 256K
L3 cache: 6144K
NUMA node0 CPU(s): 0-3
4、解析rsyslog.conf配置檔案
[[email protected] ~]# sed -e '/^#/d' /etc/rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none /var/log/messages
--以上第1個“*”代表為日志分門别類,将系統級别最低的寫入日志、
跟郵件除外、更安全的除外、跟計劃任務的除外。
authpriv.* /var/log/secure
--跟安全内容的所有等級記錄到secure日志中
mail.* -/var/log/maillog
--跟郵件内容的所有等級都記錄到maillog日志中
cron.* /var/log/cron
--跟計劃任務内容的所有等級都記錄到cron日志中
5、日志等級
資訊等級符号
“.” 表示以後面還要高的等級(包括該等級)都記錄
“.=”所需要的等級就是等号後面的等級,其他不要
“.!”除了該等級,其他都記錄下來
資訊記錄的檔案名或配置或主機
/var/log
/var/lp0
@abc.com
“*”(目前線上的所有人)
*.* @@remote-host:514 ---兩個@@代表tcp,一個@代表udp
6、安裝rsyslog加密包(SERVER 和CLIENT都需要安裝)
[[email protected] ~]# yum install rsyslog-gnutls ----SERVER端安裝
[[email protected] ~]# yum install rsyslog-gnutls ----CLIENT端安裝
7、查詢包是否加載子產品
[[email protected] ~]# rpm -ql rsyslog-gnutls
/lib64/rsyslog/lmnsd_gtls.so
8、查詢加密方式的端口号( 注意:這裡不能亂填,如果要做加密伺服器的話一定要選擇TCP)
[[email protected] ~]# semanage port -l |grep syslog
syslogd_port_t tcp 6514
syslogd_port_t udp 514, 6514
9、添加加密方式的端口号
[[email protected] ~]# semanage port -a -t syslogd_port_t -p tcp 6515
10、安裝CA簽發證書包
[[email protected] rsyslog-5.8.10]# yum install gnutls-utils
11、配置日志加密服務
以上的文檔是/usr/share/doc 下的
1) 配置CA目錄
[[email protected] ~]# mkdir -p /etc/rsyslog-keys
[[email protected] ~]# cd /etc/rsyslog-keys/
2) 建立CA的私鑰
[[email protected] rsyslog-keys]# certtool --generate-privkey --outfile ca-key.pem
Generating a 2048 bit RSA private key...
3) 配置自簽發證書
[[email protected] rsyslog-keys]# certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Country name (2 chars): CN
Organization name: RT
Organizational unit name: ES
Locality name: BJ
State or province name: HD
Common name:
UID:
This field should not be used in new certificates.
E-mail:
Enter the certificate's serial number in decimal (default: 1453816763):
Activation/Expiration time.
The certificate will expire in (days): 365
Extensions.
Does the certificate belong to an authority? (y/N): Y
Path length constraint (decimal, -1 for no constraint):
Is this a TLS web client certificate? (y/N):
Is this also a TLS web server certificate? (y/N):
Enter the e-mail of the subject of the certificate:
Will the certificate be used to sign other certificates? (y/N):
Will the certificate be used to sign CRLs? (y/N):
Will the certificate be used to sign code? (y/N):
Will the certificate be used to sign OCSP requests? (y/N):
Will the certificate be used for time stamping? (y/N):
Enter the URI of the CRL distribution point:
X.509 Certificate Information:
Version: 3
Serial Number (hex): 56a77bbb
Validity:
Not Before: Tue Jan 26 13:59:24 UTC 2016
Not After: Wed Jan 25 13:59:34 UTC 2017
Subject: C=CN,O=RT,OU=ES,L=BJ,ST=HD
Subject Public Key Algorithm: RSA
Modulus (bits 2048):
e9:be:2a:bd:dd:4c:79:ef:4d:97:2d:b3:1e:e7:fb:96
a4:ee:19:61:e2:62:68:5b:b0:53:03:4c:48:7a:ee:fe
a7:e7:c2:14:8e:85:66:e8:2e:53:00:d0:1d:cb:08:91
10:4a:c2:40:97:a4:7c:b9:49:e4:8a:d5:c6:a2:20:ec
f5:b3:71:65:4e:be:14:c4:3f:41:93:5f:fa:08:e5:b7
0e:6d:80:8f:00:24:8c:8a:22:8d:4b:ba:17:22:6e:01
0d:32:85:34:bb:31:78:2b:28:60:ec:42:fd:83:86:97
ac:48:3b:2d:f6:d7:c1:37:21:89:06:00:be:65:7c:0c
91:a6:5f:d3:ba:01:f3:9f:46:90:ae:96:95:45:06:c9
5a:77:ee:d3:1a:9c:4b:ff:57:e5:f3:b5:3b:ce:bd:0a
50:fa:36:8c:04:6f:57:b0:a7:08:df:8b:fe:aa:1f:36
dc:0d:77:82:87:e1:99:a7:c0:58:34:51:00:60:12:e8
0d:70:1b:f7:62:6f:75:90:7a:cd:73:c0:64:ee:1d:d2
d6:3c:c7:74:80:66:db:6b:4c:20:41:85:29:63:d5:f6
9c:29:e6:91:43:4e:8d:65:68:4b:24:a0:9f:13:5b:21
29:43:19:4a:7e:58:ab:4c:7a:17:89:79:8f:e2:cf:17
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Subject Key Identifier (not critical):
859fd67fb2d1cb206d860b7c5f7c162169ad3824
Other Information:
Public Key Id:
859fd67fb2d1cb206d860b7c5f7c162169ad3824
Is the above information ok? (Y/N): y
4) 建立SERVER端的私鑰
[[email protected] rsyslog-keys]# certtool --generate-privkey --outfile teacherskey.pem
Generating a 2048 bit RSA private key...
5) 建立帶簽發CA憑證
[[email protected] rsyslog-keys]# certtool --generate-request --load-privkey teacherskey.pem --outfile teachers-csr.pem
Generating a PKCS #10 certificate request...
Country name (2 chars): CN
Organization name: RT
Organizational unit name: ES
Locality name: BJ
State or province name: HD
Common name:
UID:
Enter a dnsName of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Enter a challenge password:
Does the certificate belong to an authority? (y/N):
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N):
Will the certificate be used for encryption (RSA ciphersuites)? (y/N):
Is this a TLS web client certificate? (y/N):
Is this also a TLS web server certificate? (y/N):
6) 把待簽發的key給CA中心變成pub-key
[[email protected] rsyslog-keys]# certtool --generate-certificate --load-request teachers-csr.pem --outfile teachers-crt.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem
Generating a signed certificate...
Enter the certificate's serial number in decimal (default: 1453817535):
Activation/Expiration time.
The certificate will expire in (days): 365
Extensions.
Do you want to honour the extensions from the request? (y/N):
Does the certificate belong to an authority? (y/N):
Is this a TLS web client certificate? (y/N):
Is this also a TLS web server certificate? (y/N):
Enter the e-mail of the subject of the certificate:
Will the certificate be used for signing (required for TLS)? (y/N):
Will the certificate be used for encryption (not required for TLS)? (y/N):
X.509 Certificate Information:
Version: 3
Serial Number (hex): 56a77ebf
Validity:
Not Before: Tue Jan 26 14:12:17 UTC 2016
Not After: Wed Jan 25 14:12:20 UTC 2017
Subject: C=CN,O=RT,OU=ES,L=BJ,ST=HD
Subject Public Key Algorithm: RSA
Modulus (bits 2048):
bf:f0:fd:28:72:f4:f9:df:24:84:9b:e4:0b:b0:73:38
55:3f:43:26:36:1e:9e:93:fd:b0:8c:ff:2b:f4:c0:0d
ea:19:c6:52:58:42:00:47:72:3f:14:4c:30:04:e0:1e
18:e8:9d:3a:80:67:9a:a2:33:84:60:df:e6:e9:36:e1
dc:78:39:ce:0c:05:84:9b:9d:23:ae:f0:24:e1:5c:d8
57:a8:0b:2a:b7:65:2c:45:19:6c:37:79:20:e5:83:b0
a2:08:fb:ea:1d:f3:8e:82:0a:5b:a5:29:3f:5c:c0:5d
76:14:bf:bd:aa:30:43:0e:1b:82:d9:5e:fb:18:29:c0
0b:a4:38:25:15:20:8f:32:86:87:da:74:53:17:05:30
fa:29:ba:66:e4:5c:36:e2:bc:f1:5d:c6:de:ec:ef:b8
00:17:d0:35:f5:34:c5:7b:d7:b7:54:d2:38:53:80:fe
f7:39:21:b8:57:fc:2b:56:0c:a6:77:55:ec:21:76:38
32:85:95:f7:ae:a8:44:1d:b2:38:3e:bf:33:29:05:2d
d7:0f:7d:53:77:53:c5:8d:36:02:be:44:0a:7a:d0:9f
3d:91:38:67:75:b2:37:dc:77:22:9f:26:dc:92:d4:ec
85:0c:1d:68:3e:33:3b:83:4e:dc:3e:3a:42:fe:6b:0d
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Subject Key Identifier (not critical):
9dea8f72786a77f4614ff6d987098cc17a7d6a33
Authority Key Identifier (not critical):
859fd67fb2d1cb206d860b7c5f7c162169ad3824
Other Information:
Public Key Id:
9dea8f72786a77f4614ff6d987098cc17a7d6a33
Is the above information ok? (Y/N): y
Signing certificate...
7) 删除沒有用的CA密鑰
[[email protected] rsyslog-keys]# rm -rf teachers-csr.pem
8) 建立服務的配置檔案
[[email protected] rsyslog-keys]# vim /etc/rsyslog.d/server.conf
# make gtls driver the default
$DefaultNetstreamDriver gtls
# certificate files
$DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog-keys/teachers-crt.pem
$DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/teacherskey.pem
$ModLoad imtcp # load TCP listener
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated
$InputTCPServerRun 6514 # start up listener at port 10514
9) 重新開機SERVER端服務
[[email protected] rsyslog-keys]# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
10) 檢視配置是否有監聽
[[email protected] rsyslog-keys]# netstat -tupl|grep rsyslog
tcp 0 0 *:syslog-tls *:* LISTEN 4860/rsyslogd
tcp 0 0 *:syslog-tls *:* LISTEN 4860/rsyslogd
12、配置RHEL6.4 CLIENT
1) 配置用戶端CA
[[email protected] ~]# vim /etc/rsyslog.d/client.conf
# certificate files - just CA for a client
$DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem
# set up the action
$DefaultNetstreamDriver gtls # use gtls netstream driver
$ActionSendStreamDriverMode 1 # require TLS for the connection
$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
*.* @@(o)teachers.example.com:6514 # send (all) messages
2) 建立CA公鑰的目錄和檔案
[[email protected] ~]# mkdir -p /etc/rsyslog-keys
[[email protected] ~]# scp -p [email protected]:/etc/rsyslog-keys/ca.pem /etc/rsyslog-keys/
[email protected]'s password:
ca.pem 100% 1159 1.1KB/s 00:00
[[email protected] ~]# ll /etc/rsyslog-keys/
total 4
-rw-r--r--. 1 root root 1159 Jan 26 09:00 ca.pem
3) 重新開機用戶端日志服務
[[email protected] ~]# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
4) 發送日志到遠端伺服器上
[root@student ~]# logger test tls log
[root@teachers rsyslog-keys]# tail -f /var/log/messages
Jan 26 09:29:03 teachers dbus: avc: received policyload notice (seqno=2)
Jan 26 09:29:03 teachers dbus: avc: received policyload notice (seqno=2)
Jan 26 09:29:08 teachers dbus: [system] Reloaded configuration
Jan 26 09:32:41 teachers kernel: Kernel logging (proc) stopped.
Jan 26 09:32:41 teachers rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="2029" x-info="http://www.rsyslog.com"] exiting on signal 15.
Jan 26 09:32:41 teachers kernel: imklog 5.8.10, log source = /proc/kmsg started.
Jan 26 09:32:41 teachers rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="4860" x-info="http://www.rsyslog.com"] start
Jan 26 09:53:05 student kernel: imklog 5.8.10, log source = /proc/kmsg started.
Jan 26 09:53:05 student rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="2875" x-info="http://www.rsyslog.com"] start
Jan 26 09:54:05 student root: test tls log
5) 如果将用戶端上的日志丢棄配置/etc/rsyslog.conf
42 *.info;mail.none;authpriv.none;cron.none ~
第42行把 /var/log/messages 換成“~”
![RH413企業安全加強 第11章 加強控制台安全 第一節[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)