RH413企业安全加固 第14章 配置系统日志
第14章 配置系统日志
环境配置
1、RHEL6.4 SERVER 10.10.10.221
2、RHEL6.4 CLIENT 10.10.10.223
1、配置基于TLS的日志加密
1)查看日志服务状态
[root@teachers ~]# service rsyslog status
rsyslogd (pid 2029) is running...
2)查看/etc/rsyslog.conf配置文件
$IncludeConfig /etc/rsyslog.d/*.conf ---跟rsyslog.conf配置文件都可以写到这个目录下
2、关于日志
系统日志由syslogd提供
klogd解读内核信息并将其传递给syslogd(注意:这里指的是RHEL5)
日志文件示例
/var/log/dmesg ---内核引导信息和硬件信息
/var/log/messages ---标准系统出错信息
/var/log/maillog ---邮件系统信息
/var/log/secure ---安全、认证和xinetd信息
应用程序日志文件和目录也保存在/var/log/messages
3、在RHEL6中可以使用lscpu来查看CPU硬件信息
[root@teachers ~]# lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 4
On-line CPU(s) list: 0-3
Thread(s) per core: 1
Core(s) per socket: 2
Socket(s): 2
NUMA node(s): 1
Vendor ID: GenuineIntel
CPU family: 6
Model: 60
Stepping: 3
CPU MHz: 2294.696
BogoMIPS: 4589.39
Hypervisor vendor: VMware
Virtualization type: full
L1d cache: 32K
L1i cache: 32K
L2 cache: 256K
L3 cache: 6144K
NUMA node0 CPU(s): 0-3
4、解析rsyslog.conf配置文件
[root@teachers ~]# sed -e '/^#/d' /etc/rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none /var/log/messages
--以上第1个“*”代表为日志分门别类,将系统级别最低的写入日志、
跟邮件除外、更安全的除外、跟计划任务的除外。
authpriv.* /var/log/secure
--跟安全内容的所有等级记录到secure日志中
mail.* -/var/log/maillog
--跟邮件内容的所有等级都记录到maillog日志中
cron.* /var/log/cron
--跟计划任务内容的所有等级都记录到cron日志中
5、日志等级
信息等级符号
“.” 表示以后面还要高的等级(包括该等级)都记录
“.=”所需要的等级就是等号后面的等级,其他不要
“.!”除了该等级,其他都记录下来
信息记录的文件名或配置或主机
/var/log
/var/lp0
@abc.com
“*”(当前在线的所有人)
*.* @@remote-host:514 ---两个@@代表tcp,一个@代表udp
6、安装rsyslog加密包(SERVER 和CLIENT都需要安装)
[root@teachers ~]# yum install rsyslog-gnutls ----SERVER端安装
[root@student ~]# yum install rsyslog-gnutls ----CLIENT端安装
7、查询包是否加载模块
[root@teachers ~]# rpm -ql rsyslog-gnutls
/lib64/rsyslog/lmnsd_gtls.so
8、查询加密方式的端口号( 注意:这里不能乱填,如果要做加密服务器的话一定要选择TCP)
[root@teachers ~]# semanage port -l |grep syslog
syslogd_port_t tcp 6514
syslogd_port_t udp 514, 6514
9、添加加密方式的端口号
[root@teachers ~]# semanage port -a -t syslogd_port_t -p tcp 6515
10、安装CA签发证书包
[root@teachers rsyslog-5.8.10]# yum install gnutls-utils
11、配置日志加密服务
以上的文档是/usr/share/doc 下的
1) 配置CA目录
[root@teachers ~]# mkdir -p /etc/rsyslog-keys
[root@teachers ~]# cd /etc/rsyslog-keys/
2) 创建CA的私钥
[root@teachers rsyslog-keys]# certtool --generate-privkey --outfile ca-key.pem
Generating a 2048 bit RSA private key...
3) 配置自签发证书
[root@teachers rsyslog-keys]# certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Country name (2 chars): CN
Organization name: RT
Organizational unit name: ES
Locality name: BJ
State or province name: HD
Common name:
UID:
This field should not be used in new certificates.
E-mail:
Enter the certificate's serial number in decimal (default: 1453816763):
Activation/Expiration time.
The certificate will expire in (days): 365
Extensions.
Does the certificate belong to an authority? (y/N): Y
Path length constraint (decimal, -1 for no constraint):
Is this a TLS web client certificate? (y/N):
Is this also a TLS web server certificate? (y/N):
Enter the e-mail of the subject of the certificate:
Will the certificate be used to sign other certificates? (y/N):
Will the certificate be used to sign CRLs? (y/N):
Will the certificate be used to sign code? (y/N):
Will the certificate be used to sign OCSP requests? (y/N):
Will the certificate be used for time stamping? (y/N):
Enter the URI of the CRL distribution point:
X.509 Certificate Information:
Version: 3
Serial Number (hex): 56a77bbb
Validity:
Not Before: Tue Jan 26 13:59:24 UTC 2016
Not After: Wed Jan 25 13:59:34 UTC 2017
Subject: C=CN,O=RT,OU=ES,L=BJ,ST=HD
Subject Public Key Algorithm: RSA
Modulus (bits 2048):
e9:be:2a:bd:dd:4c:79:ef:4d:97:2d:b3:1e:e7:fb:96
a4:ee:19:61:e2:62:68:5b:b0:53:03:4c:48:7a:ee:fe
a7:e7:c2:14:8e:85:66:e8:2e:53:00:d0:1d:cb:08:91
10:4a:c2:40:97:a4:7c:b9:49:e4:8a:d5:c6:a2:20:ec
f5:b3:71:65:4e:be:14:c4:3f:41:93:5f:fa:08:e5:b7
0e:6d:80:8f:00:24:8c:8a:22:8d:4b:ba:17:22:6e:01
0d:32:85:34:bb:31:78:2b:28:60:ec:42:fd:83:86:97
ac:48:3b:2d:f6:d7:c1:37:21:89:06:00:be:65:7c:0c
91:a6:5f:d3:ba:01:f3:9f:46:90:ae:96:95:45:06:c9
5a:77:ee:d3:1a:9c:4b:ff:57:e5:f3:b5:3b:ce:bd:0a
50:fa:36:8c:04:6f:57:b0:a7:08:df:8b:fe:aa:1f:36
dc:0d:77:82:87:e1:99:a7:c0:58:34:51:00:60:12:e8
0d:70:1b:f7:62:6f:75:90:7a:cd:73:c0:64:ee:1d:d2
d6:3c:c7:74:80:66:db:6b:4c:20:41:85:29:63:d5:f6
9c:29:e6:91:43:4e:8d:65:68:4b:24:a0:9f:13:5b:21
29:43:19:4a:7e:58:ab:4c:7a:17:89:79:8f:e2:cf:17
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Subject Key Identifier (not critical):
859fd67fb2d1cb206d860b7c5f7c162169ad3824
Other Information:
Public Key Id:
859fd67fb2d1cb206d860b7c5f7c162169ad3824
Is the above information ok? (Y/N): y
4) 创建SERVER端的私钥
[root@teachers rsyslog-keys]# certtool --generate-privkey --outfile teacherskey.pem
Generating a 2048 bit RSA private key...
5) 创建带签发CA证书
[root@teachers rsyslog-keys]# certtool --generate-request --load-privkey teacherskey.pem --outfile teachers-csr.pem
Generating a PKCS #10 certificate request...
Country name (2 chars): CN
Organization name: RT
Organizational unit name: ES
Locality name: BJ
State or province name: HD
Common name:
UID:
Enter a dnsName of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Enter a challenge password:
Does the certificate belong to an authority? (y/N):
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N):
Will the certificate be used for encryption (RSA ciphersuites)? (y/N):
Is this a TLS web client certificate? (y/N):
Is this also a TLS web server certificate? (y/N):
6) 把待签发的key给CA中心变成pub-key
[root@teachers rsyslog-keys]# certtool --generate-certificate --load-request teachers-csr.pem --outfile teachers-crt.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem
Generating a signed certificate...
Enter the certificate's serial number in decimal (default: 1453817535):
Activation/Expiration time.
The certificate will expire in (days): 365
Extensions.
Do you want to honour the extensions from the request? (y/N):
Does the certificate belong to an authority? (y/N):
Is this a TLS web client certificate? (y/N):
Is this also a TLS web server certificate? (y/N):
Enter the e-mail of the subject of the certificate:
Will the certificate be used for signing (required for TLS)? (y/N):
Will the certificate be used for encryption (not required for TLS)? (y/N):
X.509 Certificate Information:
Version: 3
Serial Number (hex): 56a77ebf
Validity:
Not Before: Tue Jan 26 14:12:17 UTC 2016
Not After: Wed Jan 25 14:12:20 UTC 2017
Subject: C=CN,O=RT,OU=ES,L=BJ,ST=HD
Subject Public Key Algorithm: RSA
Modulus (bits 2048):
bf:f0:fd:28:72:f4:f9:df:24:84:9b:e4:0b:b0:73:38
55:3f:43:26:36:1e:9e:93:fd:b0:8c:ff:2b:f4:c0:0d
ea:19:c6:52:58:42:00:47:72:3f:14:4c:30:04:e0:1e
18:e8:9d:3a:80:67:9a:a2:33:84:60:df:e6:e9:36:e1
dc:78:39:ce:0c:05:84:9b:9d:23:ae:f0:24:e1:5c:d8
57:a8:0b:2a:b7:65:2c:45:19:6c:37:79:20:e5:83:b0
a2:08:fb:ea:1d:f3:8e:82:0a:5b:a5:29:3f:5c:c0:5d
76:14:bf:bd:aa:30:43:0e:1b:82:d9:5e:fb:18:29:c0
0b:a4:38:25:15:20:8f:32:86:87:da:74:53:17:05:30
fa:29:ba:66:e4:5c:36:e2:bc:f1:5d:c6:de:ec:ef:b8
00:17:d0:35:f5:34:c5:7b:d7:b7:54:d2:38:53:80:fe
f7:39:21:b8:57:fc:2b:56:0c:a6:77:55:ec:21:76:38
32:85:95:f7:ae:a8:44:1d:b2:38:3e:bf:33:29:05:2d
d7:0f:7d:53:77:53:c5:8d:36:02:be:44:0a:7a:d0:9f
3d:91:38:67:75:b2:37:dc:77:22:9f:26:dc:92:d4:ec
85:0c:1d:68:3e:33:3b:83:4e:dc:3e:3a:42:fe:6b:0d
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Subject Key Identifier (not critical):
9dea8f72786a77f4614ff6d987098cc17a7d6a33
Authority Key Identifier (not critical):
859fd67fb2d1cb206d860b7c5f7c162169ad3824
Other Information:
Public Key Id:
9dea8f72786a77f4614ff6d987098cc17a7d6a33
Is the above information ok? (Y/N): y
Signing certificate...
7) 删除没有用的CA密钥
[root@teachers rsyslog-keys]# rm -rf teachers-csr.pem
8) 创建服务的配置文件
[root@teachers rsyslog-keys]# vim /etc/rsyslog.d/server.conf
# make gtls driver the default
$DefaultNetstreamDriver gtls
# certificate files
$DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog-keys/teachers-crt.pem
$DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/teacherskey.pem
$ModLoad imtcp # load TCP listener
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated
$InputTCPServerRun 6514 # start up listener at port 10514
9) 重启SERVER端服务
[root@teachers rsyslog-keys]# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
10) 查看配置是否有监听
[root@teachers rsyslog-keys]# netstat -tupl|grep rsyslog
tcp 0 0 *:syslog-tls *:* LISTEN 4860/rsyslogd
tcp 0 0 *:syslog-tls *:* LISTEN 4860/rsyslogd
12、配置RHEL6.4 CLIENT
1) 配置客户端CA
[root@student ~]# vim /etc/rsyslog.d/client.conf
# certificate files - just CA for a client
$DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem
# set up the action
$DefaultNetstreamDriver gtls # use gtls netstream driver
$ActionSendStreamDriverMode 1 # require TLS for the connection
$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
*.* @@(o)teachers.example.com:6514 # send (all) messages
2) 创建CA公钥的目录和文件
[root@student ~]# mkdir -p /etc/rsyslog-keys
[root@student ~]# scp -p root@teachers.example.com:/etc/rsyslog-keys/ca.pem /etc/rsyslog-keys/
root@teachers.example.com's password:
ca.pem 100% 1159 1.1KB/s 00:00
[root@student ~]# ll /etc/rsyslog-keys/
total 4
-rw-r--r--. 1 root root 1159 Jan 26 09:00 ca.pem
3) 重启客户端日志服务
[root@student ~]# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
4) 发送日志到远程服务器上
[root@student ~]# logger test tls log
[root@teachers rsyslog-keys]# tail -f /var/log/messages
Jan 26 09:29:03 teachers dbus: avc: received policyload notice (seqno=2)
Jan 26 09:29:03 teachers dbus: avc: received policyload notice (seqno=2)
Jan 26 09:29:08 teachers dbus: [system] Reloaded configuration
Jan 26 09:32:41 teachers kernel: Kernel logging (proc) stopped.
Jan 26 09:32:41 teachers rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="2029" x-info="http://www.rsyslog.com"] exiting on signal 15.
Jan 26 09:32:41 teachers kernel: imklog 5.8.10, log source = /proc/kmsg started.
Jan 26 09:32:41 teachers rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="4860" x-info="http://www.rsyslog.com"] start
Jan 26 09:53:05 student kernel: imklog 5.8.10, log source = /proc/kmsg started.
Jan 26 09:53:05 student rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="2875" x-info="http://www.rsyslog.com"] start
Jan 26 09:54:05 student root: test tls log
5) 如果将客户端上的日志丢弃配置/etc/rsyslog.conf
42 *.info;mail.none;authpriv.none;cron.none ~
第42行把 /var/log/messages 换成“~”
RH413企业安全加固 第14章 配置系统日志相关推荐
- RH413企业安全加固 第15章 配置系统审计
第15章 配置系统审计 环境配置 1.RHEL6.4 SERVER 10.10.10.221 2.RHEL6.4 CLIENT 10.10.10.223 1.审计使用的服务 [root@teacher ...
- 第14章 使用Kotlin 进行 Android 开发
2019独角兽企业重金招聘Python工程师标准>>> 第14章 使用Kotlin 进行 Android 开发 根据Realm Report (2017-Q4,https://rea ...
- Linux就这个范儿 第14章 身在江湖
Linux就这个范儿 第14章 身在江湖 "有人的地方就有江湖",如今的计算机世界就像一个"江湖".且不说冠希哥有多么无奈,把微博当QQ的局长有多么失败,就说如 ...
- www服务器提供的第一个信息页面,第14章WWW服务
<第14章WWW服务>由会员分享,可在线阅读,更多相关<第14章WWW服务(48页珍藏版)>请在人人文库网上搜索. 1.第14章 WWW服务,学习本章应掌握: WWW服务系统中 ...
- Windows2008管理---第14章 高可用群集和QoS
第14章 高可用群集和QoS 目录 第1章 高可用群集和QoS. 1<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com ...
- Spring Boot常见企业开发场景应用、自动配置原理结构分析
读者应具备: Spring SpringMVC服务器端开发基础 Maven基础 本篇主要介绍Spring Boot在企业开发中常见场景的使用.以及Spring Boot的基本原理结构. 以下为本篇设计 ...
- 第14章 SpringBoot静态资源处理
第14章 SpringBoot静态资源处理 14.1 WebMvcAutoConfiguration的默认配置 14.2 自定义静态资源映射 14.3 前端资源的引用方法
- Spring - Java/J2EE Application Framework 应用框架 第 14 章 JMS支持
第 14 章 JMS支持 14.1. 介绍 Spring提供一个用于简化JMS API使用的抽象层框架,并且对用户屏蔽JMS API中从1.0.2到1.1版本之间的不同. JMS大体上被分为两个功能块 ...
- 某学校有计算机主机1300台,网络互联技术与实践第14章:构建基于静态路由的多层网络.ppt...
网络互联技术与实践第14章:构建基于静态路由的多层网络 * * * * * * * * * * 14.5 扩展知识 14.5.3 中小型园区网设计 2. 中型园区网 FE连接客户机 第3层交换 第2层 ...
最新文章
- squid,nginx,lighttpd反向代理的区别
- 编译安装Zabbix 2.2 (LNMP环境)
- 360的新手机没用AI,用在了车载后视镜上
- python随机生成中文字符串_用Python生成随机UTF-8字符串
- 如何制作计算机启动盘,一款U盘启动盘制作小工具
- oracle+数据到+mysql数据库乱码_oracle数据mysql数据库乱码
- ajax工作中使用模板
- COCO 数据集格式及mmdetection中的转换方法
- Linux之file命令
- QString转Char*字符串
- TVS二极管的工作原理与选型
- 小猪短租陈驰:共享经济不是简单的资本游戏
- 电脑老是显示断开资产管理服务器,史上最强开机维护通道2016年0825重大功能更新(网络版、电脑资产管理、分层桌面秀)...
- 亿阳信通面试题2006.12.15
- 计算机专业英语谐音大全,英语单词谐音记忆法汇总整理
- 享受蓝牙(一): 开始享受
- 人力资源行业投资建议
- 前端和后端哪个工资高?前端工程师的工资,比后端低吗?
- esxi服务器更换硬盘,ESXi下磁盘分区删除步骤详解
- uniApp 使用uView遇到的小坑 LineProgress 线形进度条