kb_linux_audit_user_command.txt
http://rickie622.blog.163.com/blog/static/212388112014226101625488/
推荐使用第一种方法,如下
jun:/var/log # cat /etc/profile.local
HISTSIZE=1000
HISTTIMEFORMAT="%D %T "
#function log2syslog
#{
# declare command
# command=$(fc -ln -0)
# logger -p local1.notice -t bash -i -- $SSH_CLIENT :$USER : $command
#}
#trap log2syslog DEBUG
export HISTORY_FILE=/tmp/history.log
export PROMPT_COMMAND='{ thisHistID=`history 1|awk "{print\\$1}"`;lastCommand=`history 1| awk "{\\$1=\"\" ;print}"`;user=`id $(whoami)`;whoStr=(`who -u am i`);realUser=${whoStr[0]};logMonth=${whoStr[2]};logDay=${whoStr[3]};logTime=${whoStr[4]};pid=${whoStr[6]};ip=${whoStr[7]};if [ ${thisHistID}x != ${lastHistID}x ];then echo -E `date "+%Y/%m/%d %H:%M:%S"` $user\($realUser\)@$ip[PID:$pid][LOGIN:$logMonth $logDay $logTime] --- $lastCommand ;lastHistID=$thisHistID;fi; } >> $HISTORY_FILE'
记录了时间,username , ssh ip (见以下红色字体,本机ip 是 147.2.147.181) , 而且是实时记录。
2014/07/09 15:41:58 (root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:41 .] --- 07/09/14 15:41:54 exit
2014/07/09 15:44:40 (root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:41 .] --- 07/09/14 15:42:08 vi /etc/profile.local
2014/07/09 15:44:45 (root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:41 .] --- 07/09/14 15:44:45 id $(whoami)
2014/07/09 15:44:59 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:44:55 exit
2014/07/09 15:45:02 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:45:02 ls
2014/07/09 15:45:05 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:45:04 cd /var/log/
2014/07/09 15:45:05 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:45:05 ls
2014/07/09 15:45:21 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:45:09 tailf /var/log/messages
2014/07/09 15:45:39 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:45:26 vi /tmp/history.log
2014/07/09 15:46:29 uid=1000(hujun) gid=100(users) groups=100(users),7(lp),475(vboxusers)(hujun)@[PID:(147.2.147.78)][LOGIN:2014-07-09 15:46 .] --- 07/09/14 15:46:06 exit
2014/07/09 15:46:36 uid=1000(hujun) gid=100(users) groups=100(users),7(lp),475(vboxusers)(hujun)@[PID:(147.2.147.78)][LOGIN:2014-07-09 15:46 .] --- 07/09/14 15:46:36 cd /usr/local/
2014/07/09 15:46:36 uid=1000(hujun) gid=100(users) groups=100(users),7(lp),475(vboxusers)(hujun)@[PID:(147.2.147.78)][LOGIN:2014-07-09 15:46 .] --- 07/09/14 15:46:36 ls
2014/07/09 15:47:06 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:47:06 cat /etc/profile.local
http://rickie622.blog.163.com/blog/static/212388112014226101625488/
推荐使用第一种方法,如下
jun:/var/log # cat /etc/profile.local
HISTSIZE=1000
HISTTIMEFORMAT="%D %T "
#function log2syslog
#{
# declare command
# command=$(fc -ln -0)
# logger -p local1.notice -t bash -i -- $SSH_CLIENT :$USER : $command
#}
#trap log2syslog DEBUG
export HISTORY_FILE=/tmp/history.log
export PROMPT_COMMAND='{ thisHistID=`history 1|awk "{print\\$1}"`;lastCommand=`history 1| awk "{\\$1=\"\" ;print}"`;user=`id $(whoami)`;whoStr=(`who -u am i`);realUser=${whoStr[0]};logMonth=${whoStr[2]};logDay=${whoStr[3]};logTime=${whoStr[4]};pid=${whoStr[6]};ip=${whoStr[7]};if [ ${thisHistID}x != ${lastHistID}x ];then echo -E `date "+%Y/%m/%d %H:%M:%S"` $user\($realUser\)@$ip[PID:$pid][LOGIN:$logMonth $logDay $logTime] --- $lastCommand ;lastHistID=$thisHistID;fi; } >> $HISTORY_FILE'
记录了时间,username , ssh ip (见以下红色字体,本机ip 是 147.2.147.181) , 而且是实时记录。
2014/07/09 15:41:58 (root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:41 .] --- 07/09/14 15:41:54 exit
2014/07/09 15:44:40 (root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:41 .] --- 07/09/14 15:42:08 vi /etc/profile.local
2014/07/09 15:44:45 (root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:41 .] --- 07/09/14 15:44:45 id $(whoami)
2014/07/09 15:44:59 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:44:55 exit
2014/07/09 15:45:02 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:45:02 ls
2014/07/09 15:45:05 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:45:04 cd /var/log/
2014/07/09 15:45:05 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:45:05 ls
2014/07/09 15:45:21 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:45:09 tailf /var/log/messages
2014/07/09 15:45:39 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:45:26 vi /tmp/history.log
2014/07/09 15:46:29 uid=1000(hujun) gid=100(users) groups=100(users),7(lp),475(vboxusers)(hujun)@[PID:(147.2.147.78)][LOGIN:2014-07-09 15:46 .] --- 07/09/14 15:46:06 exit
2014/07/09 15:46:36 uid=1000(hujun) gid=100(users) groups=100(users),7(lp),475(vboxusers)(hujun)@[PID:(147.2.147.78)][LOGIN:2014-07-09 15:46 .] --- 07/09/14 15:46:36 cd /usr/local/
2014/07/09 15:46:36 uid=1000(hujun) gid=100(users) groups=100(users),7(lp),475(vboxusers)(hujun)@[PID:(147.2.147.78)][LOGIN:2014-07-09 15:46 .] --- 07/09/14 15:46:36 ls
2014/07/09 15:47:06 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:47:06 cat /etc/profile.local
138
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
