ssh監査

Posted on | by whitebox

sshでのログインを一律監査する。

起動スクリプトなどは下記を参考にさせてもらった
link

必要物のインストール

sudo yum --enablerepo=epel -y install swatch
sudo yum --enablerepo=epel install perl-File-Tail

/etc/swatch/secure.conf の 作成


# logfile /var/log/secure
# ログイン成功
# Accepted password for yamagyu from xxx.xxx.xxx.xxx
watchfor /Accepted/
[email protected],subject=ssh_accepted

# 登録していないユーザー
# Invalid user hoge from xxx.xxx.xxx.xxx
watchfor /Invalid/
[email protected],subject=ssh_invalid

# パスワード間違い
# Failed password for yamagyu from xxx.xxx.xxx.xxx
watchfor /Failed/
[email protected],subject=ssh_failed

/etc/rc.d/init.d/swatch の作成


#!/bin/bash
#
# swatch
#
# chkconfig: 2345 90 35
# description: swatch start/stop script
 
# Source function library.
. /etc/rc.d/init.d/functions
 
PATH=/sbin:/usr/local/bin:/bin:/usr/bin
 
mkdir -p /var/log/swatch
 
start() {
     # Start daemons.
     ls /var/run/swatch_*.pid > /dev/null 2>&1
     if [ $? -ne 0 ]; then
          echo -n "Starting swatch"
          pno=0
          for conf in /etc/swatch/*.conf
          do
               pno=`expr $pno + 1`
               WATCHLOG=`grep "^# logfile" $conf | awk '{ print $3 }'`
               swatch --config-file $conf --tail-file $WATCHLOG \
               --script-dir=/tmp --awk-field-syntax --use-cpan-file-tail --daemon \
               --pid-file /var/run/swatch_$pno.pid \
               >> /var/log/swatch/swatch.log 2>&1
               RETVAL=$?
               [ $RETVAL != 0 ] && return $RETVAL
          done
          echo
          [ $RETVAL = 0 ] && touch /var/lock/subsys/swatch
          return $RETVAL
     else
          echo "swatch is already started"
     fi
}
 
stop() {
     # Stop daemons.
     ls /var/run/swatch_*.pid > /dev/null 2>&1
     if [ $? -eq 0 ]; then
          echo -n "Shutting down swatch"
          for pid in /var/run/swatch_*.pid
          do
               kill $(cat $pid)
               rm -f $pid
          done
          echo
          rm -f /var/lock/subsys/swatch /tmp/.swatch_script.*
     else
          echo "swatch is not running"
     fi
}
 
status() {
     ls /var/run/swatch_*.pid > /dev/null 2>&1
     if [ $? -eq 0 ]; then
          echo -n "swatch (pid"
          for pid in /var/run/swatch_*.pid
          do
               echo -n " `cat $pid`"
          done
          echo ") is running..."
     else
          echo "swatch is stopped"
     fi
}
 
case "$1" in
     start)
             start
             ;;
     stop)
             stop
             ;;
     restart)
          stop
          start
          ;;
     status)
          status
          ;;
     *)
          echo "Usage: swatch {start|stop|restart|status}"
          exit 1
esac
 
exit $RETVAL

自動起動設定

chkconfig --add swatch