在/etc/profile文件下添加如下shell即可(注意文件的权限问题!!)
- if ! test -z "$BASH_EXECUTION_STRING" ; then
- echo "===== $(date "+%F %T") $USER nologin cmd: $BASH_EXECUTION_STRING" >>/var/log/command.log
- elif shopt -q login_shell ; then
- printf "====== $(date "+%F %T") new login the last cmd: ">>/var/log/command.log
- else
- printf "====== $(date "+%F %T") su the last cmd: ">>/var/log/command.log
- fi
- export HISTTIMEFORMAT="%F %T $USER ${SSH_TTY:5} ${SSH_CLIENT%% *} "
- export PROMPT_COMMAND="history 1|tail -1|sed 's/^[ ]\+[0-9]\+ //'>> /var/log/command.log"
所有命令会被记录在/var/log/command.log可以查看。
一:配置调试
1.创建用户审计文件存放目录和审计日志文件 ;
mkdir -p /var/log/usermonitor/
2.创建用户审计日志文件;
echo usermonitor >/var/log/usermonitor/usermonitor.log
3.将日志文件所有者赋予一个最低权限的用户;
chown nobody:nobody /var/log/usermonitor/usermonitor.log
4.给该日志文件赋予所有人的写权限;
chmod 002 /var/log/usermonitor/usermonitor.log
5.设置文件权限,使所有用户对该文件只有追加权限 ;
chattr +a /var/log/usermonitor/usermonitor.log
6.编辑/etc/profile文件,添加如下任意脚本命令;
代码1:
export HISTORY_FILE=/var/log/usermonitor/usermonitor.log
export PROMPT_COMMAND='{ date "+%y-%m-%d %T ##### $(who am i |awk "{print \$1\" \"\$2\" \"\$5}") #### $(id|awk "{print \$1}") #### $(history 1 | { read x cmd; echo "$cmd"; })"; } >>$HISTORY_FILE'
代码2:
HISTTIMEFORMAT="%Y%m%d-%H%M%S: "
export HISTTIMEFORMAT
export HISTORY_FILE=/var/log/usermonitor/usermonitor.log
export PROMPT_COMMAND='{ command=$(history 1 | { read x y; echo $y; }); logger -p local1.notice -t bash -i "user=$USER,ppid=$PPID,from=$SSH_CLIENT,pwd=$PWD,command:$command"; } >>$HISTORY_FILE'
代码3:
export HISTORY_FILE=/var/log/usermonitor/usermonitor.log
PROMPT_COMMAND='{ date "+%Y-%m-%d %T ##### USER:$USER IP:$SSH_CLIENT PS:$SSH_TTY ppid=$PPID pwd=$PWD #### $(history 1 | { read x cmd; echo "$cmd"; })";} >>$HISTORY_FILE'
7.使配置生效
source /etc/profile