1 案例1:编译安装软件包
1.1 问题
本例要求掌握常规源代码应用的安装过程,通过编译的方式安装inotify-tools 软件工具,完成下列任务:
释放 inotify-tools-3.13.tar.gz 源码包
配置 ./configure
编译 make、安装 make install
测试inotifywait监控工具的用法及用途
1.2 方案
对于标准源码发布的C/C++软件包,编译安装一般包括以下过程:
解包:使用tar命令,将下载的源代码释放至指定目录
配置:执行源码目录内的 ./configure 脚本,指定安装目录/功能模块等选项
编译:在源码目录下执行 make 操作,根据配置清单Makefile生成可执行的二进制程序文件
安装:在源码目录下执行make install 操作,将编译好的程序及相关文件复制到安装目录
1.3 步骤
实现此案例需要按照如下步骤进行。
步骤一:确认已配置好编译环境
[root@svr7 ~]# yum -y install gcc gcc-c++ make
… …
[root@svr7 ~]# gcc --version
gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-4)
Copyright © 2015 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
步骤二:编译安装inotify-tools软件包
1)解包inotify-tools-3.13.tar.gz文件
[root@svr7 ~]# ls inotify-tools-3.13.tar.gz
inotify-tools-3.13.tar.gz
[root@svr7 ~]# tar xf inotify-tools-3.13.tar.gz -C /usr/src/
2)配置 ./configure,安装目录默认(/usr/local/*/)
[root@svr7 ~]# cd /usr/src/inotify-tools-3.13/ //进入源码目录
[root@svr7 inotify-tools-3.13]# ./configure //配置操作
checking for a BSD-compatible install… /usr/bin/install -c
checking whether build environment is sane… yes
checking for gawk… gawk
… …
configure: creating ./config.status
config.status: creating Makefile
… …
[root@svr7 inotify-tools-3.13]# ls Makefile //检查配置结果
Makefile
3)编译 make
[root@svr7 inotify-tools-3.13]# make
… …
Making all in src
make[2]: Entering directory /usr/src/inotify-tools-3.13/src’
make[3]: Entering directory /usr/src/inotify-tools-3.13’
make[3]: Leaving directory `/usr/src/inotify-tools-3.13’
… …
4)安装 make install
[root@svr7 inotify-tools-3.13]# make install
… …
/usr/bin/install -c .libs/inotifywait /usr/local/bin/inotifywait
/bin/sh …/libtool --mode=install /usr/bin/install -c ‘inotifywatch’ ‘/usr/local/bin/inotifywatch’
… …
[root@svr7 inotify-tools-3.13]# find /usr/local/ -name “inotify*”
/usr/local/bin/inotifywait //确认安装结果
/usr/local/bin/inotifywatch
/usr/local/include/inotifytools
/usr/local/include/inotifytools/inotifytools.h
步骤三:测试inotify-tools软件程序
软件包inotify-tools提供了一个主要程序inotifywait,可以用来监控指定目录或文档的变化,并及时给出通知。
1)开启对/opt目录的事件监控
[root@svr7 ~]# inotifywait -mrq /opt & //开启监控
[1] 15568
2)修改/opt/目录内容,观察屏幕输出信息
[root@svr7 ~]# touch /opt/a.txt //新建文件a.txt
/opt/ CREATE a.txt
/opt/ OPEN a.txt
/opt/ ATTRIB a.txt
/opt/ CLOSE_WRITE,CLOSE a.txt
[root@svr7 ~]# mv /opt/a.txt /opt/b.txt //将文件改名
/opt/ MOVED_FROM a.txt
/opt/ MOVED_TO b.txt
3)结束inotifywait监控
杀死当前用户的第一个后台任务:
[root@svr7 ~]# kill -9 %1
[1]+ Killed inotifywait -mrq /opt
2 案例2:系统日志分析
2.1 问题
本例要求熟悉Linux系统中的常见日志文件,使用必要的命令工具完成下列任务:
列出所有包含关键词8909的系统日志消息
查看启动时识别的鼠标设备信息
列出最近2条成功/不成功的用户登录消息
列出最近10条重要程度在 ERR 及以上的日志消息
列出所有与服务httpd相关的消息
列出前4个小时内新记录的日志
2.2 方案
常见的系统日志及各自用途:
/var/log/messages,记录内核消息、各种服务的公共消息
/var/log/dmesg,记录系统启动过程的各种消息
/var/log/cron,记录与cron计划任务相关的消息
/var/log/maillog,记录邮件收发相关的消息
/var/log/secure,记录与访问限制相关的安全消息
日志消息的优先级(高–>低):
EMERG(紧急):级别0,系统不可用的情况
ALERT(警报):级别1,必须马上采取措施的情况
CRIT(严重):级别2,严重情形
ERR(错误):级别3,出现错误
WARNING(警告):级别4,值得警告的情形
NOTICE(注意):级别5,普通但值得引起注意的事件
INFO(信息):级别6,一般信息
DEBUG(调试):级别7,程序/服务调试消息
RHEL7提供的journalctl日志工具的常见用法:
journalctl | grep 关键词
journalctl -u 服务名 -p 优先级
journalctl -n 消息条数
journalctl --since=“yyyy-mm-dd HH:MM:SS” --until=“yyyy-mm-dd HH:MM:SS”
2.3 步骤
实现此案例需要按照如下步骤进行。
步骤一:分析系统日志及用户日志
1)列出所有包含关键词8909的系统日志消息
简单模拟一个故障(SELinux阻止Web开放8909端口):
[root@svr7 ~]# vim /etc/httpd/conf.d/8909.conf //添加开8909端口配置
Listen 8909
[root@svr7 ~]# setenforce 1 //开启强制模式
[root@svr7 ~]# systemctl restart httpd //起服务失败
Job for httpd.service failed because the control process exited with error code. See “systemctl status httpd.service” and “journalctl -xe” for details.
从日志文件/var/log/messages中检索信息:
[root@svr7 ~]# grep 8909 /var/log/messages
Jan 6 17:53:48 svr7 setroubleshoot: SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 8909. For complete SELinux messages. run sealert -l 6d37b8f0-ab8a-4082-9295-c784f4f57190
Jan 6 17:53:48 svr7 python: SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 8909.#012#012***** Plugin bind_ports (92.2 confidence) suggests *******************#012#012If you want to allow /usr/sbin/httpd to bind to network port 8909#012Then you need to modify the port type.#012Do#012# semanage port -a -t PORT_TYPE -p tcp 8909#012 where PORT_TYPE is one of the following: http_cache_port_t, http_port_t, jboss_management_port_t, jboss_messaging_port_t, ntop_port_t, puppet_port_t.#012#012 Plugin catchall_boolean (7.83 confidence) suggests *************#012#012If you want to allow nis to enabled#012Then you must tell SELinux about this by enabling the ‘nis_enabled’ boolean.#012#012Do#012setsebool -P nis_enabled 1#012#012 Plugin catchall (1.41 confidence) suggests **************************#012#012If you believe that httpd should be allowed name_bind access on the port 8909 tcp_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep httpd /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
… …
使用完毕记得删除测试配置文件:
[root@svr7 ~]# rm -rf /etc/httpd/conf.d/8909.conf
[root@svr7 ~]# systemctl restart httpd
2)查看启动时识别的鼠标设备信息
[root@svr7 ~]# dmesg | grep -i mouse
[ 1.020385] mousedev: PS/2 mouse device common for all mice
[ 1.249422] input: ImPS/2 Generic Wheel Mouse as /devices/platform/i8042/serio1/input/input2
[ 2.279665] usb 2-1: Product: VMware Virtual USB Mouse
[ 2.603999] input: VMware VMware Virtual USB Mouse as /devices/pci0000:00/0000:00:11.0/0000:02:00.0/usb2/2-1/2-1:1.0/input/input3
[ 2.604222] hid-generic 0003:0E0F:0003.0001: input,hidraw0: USB HID v1.10 Mouse [VMware VMware Virtual USB Mouse] on usb-0000:02:00.0-1/input0
3)列出最近2条成功/不成功的用户登录消息
查看成功登录的事件消息:
[root@svr7 ~]# last -2
zhsan pts/2 192.168.4.207 Fri Jan 6 18:00 - 18:00 (00:00)
root pts/2 192.168.4.110 Fri Jan 6 17:26 - 17:59 (00:33)
wtmp begins Thu Aug 4 00:10:16 2016
查看失败登录的事件消息:
[root@svr7 ~]# lastb -2
anonymou ssh:notty 192.168.4.207 Fri Jan 6 18:00 - 18:00 (00:00)
anonymou ssh:notty 192.168.4.207 Fri Jan 6 18:00 - 18:00 (00:00)
btmp begins Fri Jan 6 18:00:34 2017
步骤二:使用journalctl日志提取工具
1)列出最近10条重要程度在 ERR 及以上的日志消息
[root@svr7 ~]# journalctl -p err -n 10
– Logs begin at Thu 2017-01-05 15:50:08 CST, end at Fri 2017-01-06 18:01:01 CST. –
Jan 06 14:56:57 svr7 setroubleshoot[23702]: SELinux is preventing /usr/sbin/vsftpd from getattr access on the file /rhel7/repodata/repomd.xml. For complete SELinux mes
Jan 06 14:56:57 svr7 setroubleshoot[23702]: SELinux is preventing /usr/sbin/vsftpd from read access on the file repomd.xml. For complete SELinux messages. run sealert
Jan 06 14:56:57 svr7 setroubleshoot[23702]: SELinux is preventing /usr/sbin/vsftpd from read access on the file repomd.xml. For complete SELinux messages. run sealert
Jan 06 14:56:57 svr7 setroubleshoot[23702]: SELinux is preventing /usr/sbin/vsftpd from lock access on the file /rhel7/repodata/repomd.xml. For complete SELinux messag
Jan 06 17:53:48 svr7 setroubleshoot[33743]: Plugin Exception restorecon_source
Jan 06 17:53:48 svr7 setroubleshoot[33743]: SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 8909. For complete SELinux messages. run
Jan 06 17:53:53 svr7 setroubleshoot[33743]: SELinux is preventing /usr/sbin/httpd from name_connect access on the tcp_socket port 8909. For complete SELinux messages.
Jan 06 17:53:54 svr7 systemd[1]: Failed to start The Apache HTTP Server.
… …
lines 1-11/11 (END)
2)列出所有与服务httpd相关的消息
[root@svr7 ~]# journalctl -u httpd
– Logs begin at Thu 2017-01-05 15:50:08 CST, end at Fri 2017-01-06 18:01:01 CST. –
Jan 06 14:57:16 svr7 systemd[1]: Starting The Apache HTTP Server…
Jan 06 14:57:16 svr7 httpd[23812]: AH00557: httpd: apr_sockaddr_info_get() failed for svr7
Jan 06 14:57:16 svr7 httpd[23812]: AH00558: httpd: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directi
Jan 06 14:57:16 svr7 systemd[1]: Started The Apache HTTP Server.
Jan 06 17:53:44 svr7 systemd[1]: Stopping The Apache HTTP Server…
Jan 06 17:53:46 svr7 systemd[1]: Starting The Apache HTTP Server…
Jan 06 17:53:46 svr7 httpd[33741]: AH00557: httpd: apr_sockaddr_info_get() failed for svr7
… …
3)列出前4个小时内新记录的日志
根据当前日期时间往前推4个小时,确定–since起始和–until结束时刻:
[root@svr7 ~]# journalctl --since “2017-01-06 14:11” --until “2017-01-06 18:11”
– Logs begin at Thu 2017-01-05 15:50:08 CST, end at Fri 2017-01-06 18:10:01 CST. –
Jan 06 14:20:01 svr7 systemd[1]: Started Session 160 of user root.
Jan 06 14:20:01 svr7 CROND[22869]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Jan 06 14:20:01 svr7 systemd[1]: Starting Session 160 of user root.
Jan 06 14:30:01 svr7 systemd[1]: Started Session 161 of user root.
Jan 06 14:30:01 svr7 CROND[23028]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Jan 06 14:31:39 svr7 systemd[1]: Starting Session 162 of user root.
Jan 06 14:32:17 svr7 sshd[23046]: pam_unix(sshd:session): session closed for user root
Jan 06 14:31:39 svr7 systemd[1]: Started Session 162 of user root.
Jan 06 14:31:39 svr7 sshd[23046]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 06 14:31:39 svr7 systemd-logind[985]: New session 162 of user root.
… .