Loading... <h2> Jumpserver Wiki</h2> <p><span style="font-family: 微软雅黑;font-weight: bold;font-size: 14px"> </span></p> <p><span style="font-family: 微软雅黑;font-weight: bold;font-size: 14px"> <img src="//cto.wang/usr/uploads/2016/07/20160703143941-8.gif" title="111.png" /></span></p> <p><span style="font-family: 微软雅黑;font-weight: bold;font-size: 14px"> </span></p> <p><span style="font-family: 微软雅黑;font-weight: bold;font-size: 14px"> </span></p> <p></p> <p style="margin-left: 168px;text-indent: 28px"><span style="font-family: 微软雅黑;font-weight: bold;font-size: 18px"> 作者:广宏伟 </span></p> <p style="margin-left: 84px;text-indent: 28px"><span style="font-family: 微软雅黑;font-weight: bold;font-size: 18px"> 官网地址:</span>http://www.jumpserver.org/</p> <p><span style="font-family: 微软雅黑;font-weight: bold;font-size: 18px"> Github地址</span><span style="font-family: 宋体;font-weight: bold;font-size: 18px">:</span>https://github.com/ibuler/jumpserver/wiki</p> <p style="margin-left: 336px;text-indent: 28px"><span style="font-family: 宋体"> 文档统计者:火拳Ace</span></p> <p style="margin-left: 336px;text-indent: 28px"><span style="font-family: 宋体"><br /></span></p> <p style="margin-left: 336px;text-indent: 28px"><span style="font-family: 宋体"><br /></span></p> <p style="margin-left: 336px;text-indent: 28px"><span style="font-family: 宋体"><br /></span></p> <p style="margin-left: 336px;text-indent: 28px"><span style="font-family: 宋体"><br /></span></p> <h2><span style="font-family: 宋体">一、概述</span></h2> <p>Jumpserver 是一款由python编写开源的跳板机(堡垒机)系统,实现了跳板机应有的功能</p> <p>首页</p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703143942-36.gif" title="图片1.png" /></p> <p> </p> <p>WebTerminal:</p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703143942-17.gif" title="图片2.png" /> </p> <p>Web批量执行命令</p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703143942-21.gif" title="图片3.png" /></p> <p>录像回放</p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703143942-70.gif" title="图片4.png" /></p> <p></p> <p>跳转和批量命令</p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703143942-74.gif" title="图片5.png" /> </p> <p>命令统计</p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703143942-61.gif" title="图片6.png" /></p> <p> </p> <p> </p> <p> </p> <p> </p> <p> </p> <p>特点:</p> <p> </p> <p style="margin-top: auto;margin-bottom: auto;margin-left: 28px;line-height: 26px">l 完全真开源,GPL授权</p> <p style="margin-top: auto;margin-bottom: auto;margin-left: 28px;line-height: 26px">l Python编写,容易再次开发</p> <p style="margin-top: auto;margin-bottom: auto;margin-left: 28px;line-height: 26px">l 实现了跳板机基本功能,认证、授权、审计</p> <p style="margin-top: auto;margin-bottom: auto;margin-left: 28px;line-height: 26px">l 集成了Ansible,批量命令等</p> <p style="margin-top: auto;margin-bottom: auto;margin-left: 28px;line-height: 26px">l 支持WebTerminal</p> <p style="margin-top: auto;margin-bottom: auto;margin-left: 28px;line-height: 26px">l Bootstrap编写,界面美观</p> <p style="margin-top: auto;margin-bottom: auto;margin-left: 28px;line-height: 26px">l 自动收集硬件信息</p> <p style="margin-top: auto;margin-bottom: auto;margin-left: 28px;line-height: 26px">l 录像回放</p> <p style="margin-top: auto;margin-bottom: auto;margin-left: 28px;line-height: 26px">l 命令搜索</p> <p style="margin-top: auto;margin-bottom: auto;margin-left: 28px;line-height: 26px">l 实时监控</p> <p style="margin-top: auto;margin-bottom: auto;margin-left: 28px;line-height: 26px">l 批量上传下载</p> <h2><span style="font-family: 宋体">二、</span><span style="font-family: 宋体">快速安装</span></h2> <p><span style="font-family: 宋体;font-size: 14px">快速安装</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">建议使用 <span style="font-family: Calibri">centos 6 mini</span>环境快速安装,安装过一些软件后,其中可能会安装一些不兼容的<span style="font-family: Calibri">python</span>库,如<span style="font-family: Calibri">pycrypto, django, </span>会影响快速安装</span></p> <p><span style="font-family: 宋体;font-size: 14px">环境</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">CentOS 6.x x86_64 mini</span></p> <p><span style="font-family: 宋体;font-size: 14px">iptables stop</span></p> <p><span style="font-family: 宋体;font-size: 14px">selinux disable</span></p> <p><span style="font-family: 宋体;font-size: 14px">开始</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">1. </span><span style="font-family: 宋体;font-size: 14px">安装依赖<span style="font-family: Calibri">rpm</span></span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">Yum源可以使用阿里的,本人测试阿里没有问题,在<span style="font-family: Calibri">Centos 6.6</span>上。</span></p> <p><span style="font-family: 宋体;font-size: 14px">(详情:</span>http://mirrors.aliyun.com/help/centos<span style="font-family: 宋体;font-size: 14px">)</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">yum -y install epel-release</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">yum -y install git python-pip mysql-devel gcc automake autoconf python-devel vim sshpass lrzsz</span></p> <p><span style="font-family: 宋体;font-size: 14px">2. 下载<span style="font-family: Calibri">jumpserver</span></span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">cd /opt</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">git clone https://github.com/ibuler/jumpserver.git</span></p> <p><span style="font-family: 宋体;font-size: 14px">3. 执行快速安装脚本</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">cd jumpserver/install && pip install -r requirements.txt</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">python install.py</span></p> <p><span style="font-family: 宋体;font-size: 14px">根据提示输入相关信息,完成安装,完成安装后,请访问<span style="font-family: Calibri">web</span>,继续查看后续文档</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">如果启动失败,请返回上层目录,手动运行 <span style="font-family: Calibri">./service.sh restart</span>启动</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">*默认账号密码 <span style="font-family: Calibri">admin 5Lov@wife</span></span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">注意</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">1. 后端服务器需要有<span style="font-family: Calibri">python</span>环境才能使用推送用户,批量命令等功能</span></p> <p><span style="font-family: 宋体;font-size: 14px">2. 后端服务器如果开启了<span style="font-family: Calibri">selinux</span>,请安装 <span style="font-family: Calibri">libselinux-python</span></span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <h2><span style="font-family: 宋体">三、</span><span style="font-family: 宋体">名词解释</span></h2> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p style="margin-left: 28px"><span style="font-family: Wingdings;font-weight: bold;font-size: 14px">l </span><span style="font-family: 宋体;font-weight: bold;font-size: 14px">用户</span><span style="font-family: 宋体;font-size: 14px"> 用户是授权和登陆的主体,将来为每个员工建立一个账户,用来登录跳板机, 将资产授权给该用户,查看用户登陆记录命令历史等</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p style="margin-left: 28px"><span style="font-family: Wingdings;font-weight: bold;font-size: 14px">l </span><span style="font-family: 宋体;font-weight: bold;font-size: 14px">用户组</span><span style="font-family: 宋体;font-size: 14px"> 多个用户可以组合成用户组,为了方便进行授权,可以将一个部门或几个用户 组建成用户组,在授权中使用组授权,该组中的用户拥有所有授权的主机权限</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p style="margin-left: 28px"><span style="font-family: Wingdings;font-weight: bold;font-size: 14px">l </span><span style="font-family: 宋体;font-weight: bold;font-size: 14px">资产</span><span style="font-family: 宋体;font-size: 14px"> 资产通常是我们的服务器、网络设备等,将资产授权给用户,用户则会有权限登 录资产,执行命令等</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p style="margin-left: 28px"><span style="font-family: Wingdings;font-weight: bold;font-size: 14px">l </span><span style="font-family: 宋体;font-weight: bold;font-size: 14px">管理账户</span><span style="font-family: 宋体;font-size: 14px"> 添加资产时需要添加一个管理账户,该账户是该资产上已有的有管理权限的用户, 如<span style="font-family: Calibri">root</span>,或者有 <span style="font-family: Calibri">NOPASSWD: ALL sudo</span>权限的用户,该管理账户用来向资产推送系统用户, 为系统用户添加<span style="font-family: Calibri">sudo</span>,获取资产的一些硬件信息</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p style="margin-left: 28px"><span style="font-family: Wingdings;font-weight: bold;font-size: 14px">l </span><span style="font-family: 宋体;font-weight: bold;font-size: 14px">资产组</span><span style="font-family: 宋体;font-size: 14px"> 同用户组,是资产组成的集合,为了方便授权</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p style="margin-left: 28px"><span style="font-family: Wingdings;font-weight: bold;font-size: 14px">l </span><span style="font-family: 宋体;font-weight: bold;font-size: 14px">机房</span><span style="font-family: 宋体;font-size: 14px"> 又称<span style="font-family: Calibri">IDC</span>,不解释</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p style="margin-left: 28px"><span style="font-family: Wingdings;font-weight: bold;font-size: 14px">l </span><span style="font-family: 宋体;font-weight: bold;font-size: 14px">Sudo</span><span style="font-family: 宋体;font-size: 14px"> 这里的<span style="font-family: Calibri">sudo</span>其实是<span style="font-family: Calibri">Linux</span>中的<span style="font-family: Calibri">sudo</span>命令别名,一个<span style="font-family: Calibri">sudo</span>别名包含多个命令, 系统用户关联<span style="font-family: Calibri">sudo</span>就代表该系统用户有权限<span style="font-family: Calibri">sudo</span>执行这些命令</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p style="margin-left: 28px"><span style="font-family: Wingdings;font-weight: bold;font-size: 14px">l </span><span style="font-family: 宋体;font-weight: bold;font-size: 14px">系统用户</span><span style="font-family: 宋体;font-size: 14px"> 系统用户是服务器上建立的一些真实存在的可以<span style="font-family: Calibri">ssh</span>登陆的用户<span style="font-family: Calibri">,</span>如 <span style="font-family: Calibri">dev, sa, dba</span>等,系统用户可使用<span style="font-family: Calibri">jumpserver</span>推送到服务器上,也可以利用自己公司 的工具进行推送,授权时将用户、资产、系统用户关联起来则表明用户有权限登陆该资产的 这个系统用户 如:用户 小明 以 </span><span style="font-family: 宋体;font-weight: bold;font-size: 14px">dev</span><span style="font-family: 宋体;font-size: 14px"> 系统用户登录 </span><span style="font-family: 宋体;font-weight: bold;font-size: 14px">172.16.1.1</span><span style="font-family: 宋体;font-size: 14px">资产<span style="font-family: Calibri">, </span>简单理解就是 将某个资产上的某个系统用户映射给这个用户登录</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p style="margin-left: 28px"><span style="font-family: Wingdings;font-weight: bold;font-size: 14px">l </span><span style="font-family: 宋体;font-weight: bold;font-size: 14px">推送系统用户</span><span style="font-family: 宋体;font-size: 14px"> 添加完系统用户,需要推送,推送操作是使用<span style="font-family: Calibri">ansible</span>,把添加的系统 用户和系统用户管理的<span style="font-family: Calibri">sudo</span>,推送到资产上,具体体现是在资产上<span style="font-family: Calibri">useradd</span>该系统用户, ,设置它的<span style="font-family: Calibri">key,</span>然后设置它的<span style="font-family: Calibri">sudo</span>,为了让用户可以登录它</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p style="margin-left: 28px"><span style="font-family: Wingdings;font-weight: bold;font-size: 14px">l </span><span style="font-family: 宋体;font-weight: bold;font-size: 14px">授权规则</span><span style="font-family: 宋体;font-size: 14px"> 授权规则是将 </span><span style="font-family: 宋体;font-weight: bold;font-size: 14px">资产</span><span style="font-family: 宋体;font-size: 14px"> </span><span style="font-family: 宋体;font-weight: bold;font-size: 14px">系统用户</span><span style="font-family: 宋体;font-size: 14px"> 和 </span><span style="font-family: 宋体;font-weight: bold;font-size: 14px">用户</span><span style="font-family: 宋体;font-size: 14px"> 关联起来,用来完成授权。 这样用户就可以以某个系统用户账号登陆资产。大家对这好像不是很理解,其实也是对系统用户, 用户这里没有搞清楚。我们可以把用户当做虚拟的用户,而系统用户是真实再服务器上存在的用户, 系统用户可以使用<span style="font-family: Calibri">jumpserver</span>推送,也可以自己手动建立,但是推送的过程一定要有,哪怕是模拟 推送(不选择秘钥和密码推送,如网络设备),因为添加授权规则会检查推送记录。为了简化理解, 我们暂时 以 </span><span style="font-family: 宋体;font-weight: bold;font-size: 14px">用户 资产 系统用户</span><span style="font-family: 宋体;font-size: 14px"> 来理解,暂时不考虑组,添加这样的规则意思是 授权 用户 在这个资产上 以这个系统用户来登陆<span style="font-family: Calibri">, </span>系统用户是一组具有通用性,具有<span style="font-family: Calibri">sudo</span>的用户, 不同的用户授权不同的 系统用户,比如 <span style="font-family: Calibri">dba</span>可能有用数据库的<span style="font-family: Calibri">sudo</span>权限</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p style="margin-left: 28px"><span style="font-family: Wingdings;font-weight: bold;font-size: 14px">l </span><span style="font-family: 宋体;font-weight: bold;font-size: 14px">日志审计</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p style="margin-left: 56px"><span style="font-family: Arial;font-weight: bold;font-size: 14px">o </span><span style="font-family: 宋体;font-weight: bold;font-size: 14px">在线</span><span style="font-family: 宋体;font-size: 14px"> 查看当前在线的用户<span style="font-family: Calibri">(</span>非<span style="font-family: Calibri">web</span>在线<span style="font-family: Calibri">)</span>,可以监控用户的命令执行,强制结束用户 登录。</span></p> <p style="margin-left: 56px"><span style="font-family: Arial;font-weight: bold;font-size: 14px">o </span><span style="font-family: 宋体;font-weight: bold;font-size: 14px">实时监控</span><span style="font-family: 宋体;font-size: 14px"> 实时监控用户的操作</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p style="margin-left: 56px"><span style="font-family: Arial;font-weight: bold;font-size: 14px">o </span><span style="font-family: 宋体;font-weight: bold;font-size: 14px">登录历史</span><span style="font-family: 宋体;font-size: 14px"> 查看以往用户的登录历史,可以查看用户登陆操作的命令,可以回放用户 执行命令的录像</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p style="margin-left: 56px"><span style="font-family: Arial;font-weight: bold;font-size: 14px">o </span><span style="font-family: 宋体;font-weight: bold;font-size: 14px">命令记录</span><span style="font-family: 宋体;font-size: 14px"> 查看用户批量执行命令的历史,包含执行命令的主机,执行的命令,执行的结果</span></p> <p style="margin-left: 56px"><span style="font-family: Arial;font-weight: bold;font-size: 14px">o </span><span style="font-family: 宋体;font-weight: bold;font-size: 14px">上传下载 </span><span style="font-family: 宋体;font-size: 14px">查看用户上传下载文件的记录</span></p> <p style="margin-left: 28px"><span style="font-family: Wingdings;font-size: 14px">l </span><span style="font-family: 宋体;font-size: 14px">默认设置 默认设置里可以设置 默认管理账号信息,包括账号密码密钥,默认信息为了方便添加资产 而设计,添加资产时如果选择使用默认管理账号,则会使用这里设置的信息,端口是资产的<span style="font-family: Calibri">ssh</span>端口,添加 资产时,默认会使用该端口</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <h2><span style="font-family: 宋体">四、</span><span style="font-family: 宋体">快速开始</span></h2> <p><span style="font-family: 宋体;font-size: 14px">1. 添加用户</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">用户管理 <span style="font-family: Calibri">– </span>查看用户 <span style="font-family: Calibri">– </span>添加用户 填写基本信息,完成用户添加</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">用户添加完成后,根据提示记住用户账号密码,换个浏览器登录下载<span style="font-family: Calibri">key</span>,</span></p> <p><span style="font-family: 宋体;font-size: 14px">ssh登录<span style="font-family: Calibri">jumpserver</span>测试</span></p> <p><span style="font-family: 宋体;font-size: 14px">2. 添加资产</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">资产管理 <span style="font-family: Calibri">– </span>查看资产 <span style="font-family: Calibri">– </span>添加资产 填写基本信息,完成资产添加</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">3. 添加<span style="font-family: Calibri">sudo</span></span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">授权管理 <span style="font-family: Calibri">– Sudo – </span>添加别名 输入别名名称和命令,完成<span style="font-family: Calibri">sudo</span>添加</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">4. 添加系统用户</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">授权管理 <span style="font-family: Calibri">– </span>系统用户 <span style="font-family: Calibri">– </span>添加 输入基本信息,完成系统用户添加</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">5. 推送系统用户</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">授权管理 <span style="font-family: Calibri">– </span>推送 <span style="font-family: Calibri">– </span>选择需要推送的资产或资产组完成推送</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">推送只支持服务器,使用密钥是指用户从跳板机跳转时使用<span style="font-family: Calibri">key</span>,反之使用密码,</span></p> <p><span style="font-family: 宋体;font-size: 14px">授权时会检查推送记录,如果没有推送过则无法完成系统用户在该资产上的授权。</span></p> <p><span style="font-family: 宋体;font-size: 14px">如果资产时网络设备,请不要选择密码和秘钥,模拟一下推送,目的是为了生成</span></p> <p><span style="font-family: 宋体;font-size: 14px">推送记录。</span></p> <p><span style="font-family: 宋体;font-size: 14px">6. 添加授权规则</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">授权管理 <span style="font-family: Calibri">– </span>授权规则 <span style="font-family: Calibri">– </span>添加规则 选择刚才添加的用户,资产,系统用户完成授权</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">7. 测试登录</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">用户下载<span style="font-family: Calibri">key </span>登录跳板机,会自动运行<span style="font-family: Calibri">connect.py</span>,根据提示登录服务器</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">用户登陆<span style="font-family: Calibri">web </span>查看授权的主机,点击后面的链接,测试是否可以登录服务器</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">8. 监控和结束会话</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">日志审计 <span style="font-family: Calibri">– </span>在线 查看当前登录的用户登录情况,点击监控查看用户执行的命令, 点击阻断,结束用户的会话</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">9. 查看历史记录</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">日志审计 <span style="font-family: Calibri">– </span>登录历史 查看登录历史<span style="font-family: Calibri">,</span>点击统计查看命令历史,点击回放查看录像</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">10. 执行命令</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">同<span style="font-family: Calibri">7 </span>测试命令的执行,命令记录查看 批量执行命令的日志</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">11. 上传下载</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">同<span style="font-family: Calibri">7 </span>测试文件的上传下载,日志审计 <span style="font-family: Calibri">– </span>上传下载 查看上传下载记录</span></p> <h2><span style="font-family: 宋体">五、</span><span style="font-family: 宋体">更新</span><span style="font-family: 宋体">Log</span></h2> <p><span style="font-family: 宋体;font-size: 14px">一<span style="font-family: Calibri">. </span>更新<span style="font-family: Calibri">Log</span></span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">— 登录脚本 <span style="font-family: Calibri">—</span></span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">1.1 精确记录执行命令</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">1.2 新增文件上传下载</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">1.3 更改为输入<span style="font-family: Calibri">ID</span>登陆主机</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">1.4 增加主机搜索</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">1.5 执行命令使用<span style="font-family: Calibri">ansible</span>执行</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">1.6 优化脚本</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">— web管理 <span style="font-family: Calibri">—</span></span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">1.7 增加<span style="font-family: Calibri">web terminal</span></span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">1.8 增加<span style="font-family: Calibri">web</span>端批量命令执行</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">1.9 增加录像回放</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">1.10 资产增加硬件信息抓取</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">1.11 资产增加<span style="font-family: Calibri">Excel</span>导出和导入</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">1.12 资产增加批量更改</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">1.13 废弃了<span style="font-family: Calibri">LDAP</span>支持,改为在主机上授权系统用户<span style="font-family: Calibri">(</span>系统用户为一些通用用户,如<span style="font-family: Calibri">dev,dba</span>等<span style="font-family: Calibri">)</span></span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">1.14 授权改为以授权规则为中心</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">1.15 添加系统用户推送</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">1.16 更改<span style="font-family: Calibri">sudo</span>管理</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">1.17 增加执行命令日志审计</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">1.18 增加文件上传命令审计</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">1.19 增加<span style="font-family: Calibri">web</span>端历史命令搜索</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">1.20 取消权限申请</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">1.21 取消部门管理员</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">1.22 取消资产别名</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">1.23 授权细颗粒化</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <h2><span style="font-family: 宋体">六、</span><span style="font-family: 宋体">FAQs</span></h2> <p><strong><span style="font-family: 宋体;font-size: 14px">查看日志</span></strong></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">tail -f logs/jumpserver.log</span></p> <p><span style="font-family: 宋体;font-size: 14px">里面包含了详细的日志,包含了账号和密码,一切完成后,请将 <span style="font-family: Calibri">jumpserver.conf</span>中的<span style="font-family: Calibri">log</span>改为 <span style="font-family: Calibri">warning</span>等</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><strong><span style="font-family: 宋体;font-size: 14px">推送系统用户失败</span></strong></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">在系统用户列表,点击系统用户名称,查看系统用户详情,把鼠标放到失败按钮上,会看到失败的原因,通常是因为 管理账号添加的不对(见管理账号名称解释),或服务器没有安装<span style="font-family: Calibri">sudo(</span>推送系统用户时,会推送<span style="font-family: Calibri">sudo</span>设置<span style="font-family: Calibri">)</span></span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><strong><span style="font-family: 宋体;font-size: 14px">邮件发送失败</span></strong></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">如果出现<span style="font-family: Calibri">mail,smtp</span>等错误通常都是由于发送邮件导致的,请尝试不同提供商的邮件设置</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><strong><span style="font-family: 宋体;font-size: 14px">service启动失败</span></strong></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">请进入<span style="font-family: Calibri">jumpserver</span>目录,手动运行</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">python manage.py runserver 0.0.0.0:80</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">python run_websocket.py</span></p> <p><span style="font-family: 宋体;font-size: 14px">如果启动失败,可能是由于 <span style="font-family: Calibri">80</span>端口和<span style="font-family: Calibri">3000</span>端口已经被占用,或者数据库账号密码不对,请检查</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><strong><span style="font-family: 宋体;font-size: 14px">监控,<span style="font-family: Calibri">websocket, web</span>命令执行失败</span></strong></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">他们会像运行的<span style="font-family: Calibri">websocket</span>服务发起请求, 可能是<span style="font-family: Calibri">websocket</span>没有启动,可能是<span style="font-family: Calibri">Jumpserver.conf</span>中 <span style="font-family: Calibri">websocket</span>的地址不正确,务必保证设置的地址用户可以访问到<span style="font-family: Calibri">(</span>映射或防火墙等<span style="font-family: Calibri">), service.sh</span>先关掉服务器,手动运行(见 <span style="font-family: Calibri">3), </span>查看<span style="font-family: Calibri">websocket</span>的<span style="font-family: Calibri">console</span>输出</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><strong><span style="font-family: 宋体;font-size: 14px">Crypto,<span style="font-family: Calibri">HAVE_DECL_MPZ_POWM_SEC</span>等错误</span></strong></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">很常见的错误,通常是由 <span style="font-family: Calibri">pycrypto</span>的版本问题,请卸载重新安装</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">pip uninstall pycrypto</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">rm -rf /usr/lib64/python2.6/site-packages/Crypto/</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">pip install pycrypto</span></p> <p><span style="font-family: 宋体;font-size: 14px">用户,系统用户,管理用户对比</span></p> <p><span style="font-family: 宋体;font-size: 14px"> </span></p> <p><span style="font-family: 宋体;font-size: 14px">为了简单的描述这个问题,我们举例来说明, 用户 小明<span style="font-family: Calibri">(</span>公司员工<span style="font-family: Calibri">)</span>, 系统用户 <span style="font-family: Calibri">dev(</span>后端服务器上存在的账号<span style="font-family: Calibri">), </span>授权时将 系统用户<span style="font-family: Calibri">dev</span>在某台服务器授权给小明时,这是小明登陆后面的服务器,其实是登陆了服务器上的<span style="font-family: Calibri">dev</span>用户<span style="font-family: Calibri">, </span>类似 <span style="font-family: Calibri">[xiaoming@localhost ~]$ ssh dev@somehost </span>。管理账号是为了帮助大家推送系统用户用的,在<span style="font-family: Calibri">jumpserver</span>上新建系统用户并推送,其实相当于 <span style="font-family: Calibri">ssh </span>管理账户<span style="font-family: Calibri">@somehost -e 'useradd </span>系统账号<span style="font-family: Calibri">', </span>当然,我们是用<span style="font-family: Calibri">ansible</span>完成这样的操作</span></p> <p><span style="font-family: 宋体;font-size: 14px"><br /></span></p> <p></p> 最后修改:2021 年 12 月 10 日 10 : 53 AM © 允许规范转载 赞赏 如果觉得我的文章对你有用,请随意赞赏 赞赏作者 支付宝微信