How to set up a CentOS system to restrict user modifications to system logs

How to set up the CentOS system to restrict users from modifying the system log

In the CentOS system, the system log is a very important information source. It records the system's operating status, error messages, warnings, etc. In order to protect the stability and security of the system, we should restrict users from modifying system logs. This article will introduce how to set up the CentOS system to restrict the modification permissions of the system log.

1. Create user groups and users
First, we need to create a user group specifically responsible for managing system logs, and an ordinary user for managing logs. Assume that the group name we created is logadmin and the user is loguser. It can be created through the following command:

sudo groupadd logadmin
sudo useradd -g logadmin loguser

2. Modify the permissions of the log file
Next, we need to modify the permissions of the system log file so that Only users in the logadmin group can modify it, and other users can only read it. Usually, the log files of the CentOS system are located in the /var/log directory. Taking the system log file /var/log/messages as an example, we can execute the following command to modify the permissions:

sudo chown root:logadmin /var/log/messages
sudo chmod 640 /var/log/messages

The above command will change the permissions of the log file. The owner is set to the root user, the group to which it belongs is set to the logadmin group, and the permissions are set to 640. In this way, only the root user and users belonging to the logadmin group can modify the log file, and other users can only read it.

3. Configure sudo permissions
In order to ensure that only users in the logadmin group have permission to modify log files, we also need to configure sudo permissions to restrict only users in the logadmin group from using specific commands. Suppose we want to restrict the loguser user to only use the logrotate command, we can perform the following steps:

1. Use the visudo command to edit the sudoers file:

   sudo visudo

2. Add the following content to the file:

   %logadmin ALL=(ALL) NOPASSWD: /usr/sbin/logrotate

   This way, only users belonging to the logadmin group can use the logrotate command and no password is required.

4. Test settings
After completing the above settings, we can test whether the user's permission to modify the system log has been successfully restricted.

1. Switch to the loguser user:

   sudo su - loguser

2. Try to modify the log file:

   echo "test" >> /var/log/messages

   Since the loguser user does not belong to the logadmin group, Therefore, the log file cannot be modified, and a message indicating insufficient permissions will be displayed.

3. Use the logadmin user to try to modify the log file:

   echo "test" >> /var/log/messages

   Since the logadmin user belongs to the logadmin group, it has the permission to modify the log file.

Through the above settings, we have successfully restricted the user's permission to modify the system log and protected the stability and security of the system.

Summary
This article introduces how to set up the CentOS system to restrict users' permission to modify system logs. By creating user groups and users, modifying permissions on log files, and configuring sudo permissions, we can achieve that only specific users can modify system logs and enhance system security and stability.

Note: The group names, users and log files used in the examples in this article are for reference only and should be adjusted according to the actual situation in actual use.

The above is the detailed content of How to set up a CentOS system to restrict user modifications to system logs. For more information, please follow other related articles on the PHP Chinese website!