Linux syslog进程退出日志审计
一、syslog正常关闭
二、syslog正常启动
三、syslog正常重启
四、kill掉sylsog进程(没有产生任何日志)
五、nessus扫描产生的日志
Jan 9 15:17:36 localhost sshd[4838]: Did not receive identification string from UNKNOWN
Jan 9 15:18:21 localhost sshd[4845]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:20:56 localhost sshd[4860]: Did not receive identification string from UNKNOWN
Jan 9 15:21:45 localhost sshd[4882]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:21:46 localhost sshd[4886]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:21:46 localhost sshd[4883]: Invalid user emailswitch from 192.168.31.27
Jan 9 15:21:46 localhost sshd[4891]: Protocol major versions differ for UNKNOWN: SSH-2.0-OpenSSH_4.3 vs. SSH-9.9-OpenSSH_5.0
Jan 9 15:21:46 localhost sshd[4887]: Invalid user anonymous from 192.168.31.27
Jan 9 15:21:46 localhost sshd[4885]: input_userauth_request: invalid user emailswitch
Jan 9 15:21:46 localhost sshd[4883]: pam_unix(sshd:auth): check pass; user unknown
Jan 9 15:21:46 localhost sshd[4883]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27
Jan 9 15:21:46 localhost sshd[4883]: pam_succeed_if(sshd:auth): error retrieving information about user emailswitch
Jan 9 15:21:46 localhost sshd[4888]: input_userauth_request: invalid user anonymous
Jan 9 15:21:46 localhost sshd[4887]: pam_unix(sshd:auth): check pass; user unknown
Jan 9 15:21:46 localhost sshd[4887]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27
Jan 9 15:21:46 localhost sshd[4887]: pam_succeed_if(sshd:auth): error retrieving information about user anonymous
Jan 9 15:21:46 localhost sshd[4889]: Invalid user _9hwH87a from 192.168.31.27
Jan 9 15:21:46 localhost sshd[4890]: input_userauth_request: invalid user _9hwH87a
Jan 9 15:21:46 localhost sshd[4889]: pam_unix(sshd:auth): check pass; user unknown
Jan 9 15:21:46 localhost sshd[4889]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27
Jan 9 15:21:46 localhost sshd[4889]: pam_succeed_if(sshd:auth): error retrieving information about user _9hwH87a
Jan 9 15:21:47 localhost sshd[4892]: Protocol major versions differ for UNKNOWN: SSH-2.0-OpenSSH_4.3 vs. SSH-1.33-OpenSSH_5.0
Jan 9 15:21:48 localhost sshd[4893]: Protocol major versions differ for UNKNOWN: SSH-2.0-OpenSSH_4.3 vs. SSH-1.5-OpenSSH_5.0
Jan 9 15:21:48 localhost sshd[4895]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:21:49 localhost sshd[4883]: Failed password for invalid user emailswitch from 192.168.31.27 port 62201 ssh2
Jan 9 15:21:49 localhost sshd[4885]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:21:49 localhost sshd[4887]: Failed password for invalid user anonymous from 192.168.31.27 port 62203 ssh2
Jan 9 15:21:49 localhost sshd[4888]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:21:49 localhost sshd[4889]: Failed password for invalid user _9hwH87a from 192.168.31.27 port 62204 ssh2
Jan 9 15:21:49 localhost sshd[4890]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:21:49 localhost sshd[4896]: Invalid user product from 192.168.31.27
Jan 9 15:21:49 localhost sshd[4898]: Invalid user guest from 192.168.31.27
Jan 9 15:21:49 localhost sshd[4899]: input_userauth_request: invalid user guest
Jan 9 15:21:49 localhost sshd[4898]: pam_unix(sshd:auth): check pass; user unknown
Jan 9 15:21:49 localhost sshd[4898]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27
Jan 9 15:21:49 localhost sshd[4898]: pam_succeed_if(sshd:auth): error retrieving information about user guest
Jan 9 15:21:49 localhost sshd[4900]: Invalid user VWWjRsTx from 192.168.31.27
Jan 9 15:21:49 localhost sshd[4902]: Invalid user n3ssus from 192.168.31.27
Jan 9 15:21:49 localhost sshd[4903]: input_userauth_request: invalid user n3ssus
Jan 9 15:21:49 localhost sshd[4902]: pam_unix(sshd:auth): check pass; user unknown
Jan 9 15:21:49 localhost sshd[4902]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27
Jan 9 15:21:49 localhost sshd[4902]: pam_succeed_if(sshd:auth): error retrieving information about user n3ssus
Jan 9 15:21:49 localhost sshd[4905]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:21:50 localhost sshd[4907]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:21:51 localhost sshd[4898]: Failed password for invalid user guest from 192.168.31.27 port 62236 ssh2
Jan 9 15:21:51 localhost sshd[4899]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:21:51 localhost sshd[4902]: Failed password for invalid user n3ssus from 192.168.31.27 port 62238 ssh2
Jan 9 15:21:51 localhost sshd[4903]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:21:51 localhost sshd[4909]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:21:51 localhost sshd[4911]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:21:51 localhost sshd[4913]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:21:52 localhost sshd[4914]: Invalid user admin from 192.168.31.27
Jan 9 15:21:52 localhost sshd[4915]: input_userauth_request: invalid user admin
Jan 9 15:21:52 localhost sshd[4914]: pam_unix(sshd:auth): check pass; user unknown
Jan 9 15:21:52 localhost sshd[4914]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27
Jan 9 15:21:52 localhost sshd[4914]: pam_succeed_if(sshd:auth): error retrieving information about user admin
Jan 9 15:21:54 localhost sshd[4897]: input_userauth_request: invalid user product
Jan 9 15:21:54 localhost sshd[4896]: pam_unix(sshd:auth): check pass; user unknown
Jan 9 15:21:54 localhost sshd[4896]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27
Jan 9 15:21:54 localhost sshd[4896]: pam_succeed_if(sshd:auth): error retrieving information about user product
Jan 9 15:21:54 localhost sshd[4901]: input_userauth_request: invalid user VWWjRsTx
Jan 9 15:21:54 localhost sshd[4901]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:21:54 localhost sshd[4914]: Failed password for invalid user admin from 192.168.31.27 port 62275 ssh2
Jan 9 15:21:54 localhost sshd[4915]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:21:55 localhost sshd[4916]: Invalid user admin from 192.168.31.27
Jan 9 15:21:55 localhost sshd[4917]: input_userauth_request: invalid user admin
Jan 9 15:21:55 localhost sshd[4916]: pam_unix(sshd:auth): check pass; user unknown
Jan 9 15:21:55 localhost sshd[4916]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27
Jan 9 15:21:55 localhost sshd[4916]: pam_succeed_if(sshd:auth): error retrieving information about user admin
Jan 9 15:21:55 localhost sshd[4920]: Invalid user guest from 192.168.31.27
Jan 9 15:21:55 localhost sshd[4923]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:21:55 localhost sshd[4918]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27 user=root
Jan 9 15:21:56 localhost sshd[4896]: Failed password for invalid user product from 192.168.31.27 port 62234 ssh2
Jan 9 15:21:56 localhost sshd[4897]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:21:56 localhost sshd[4926]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27 user=root
Jan 9 15:21:57 localhost sshd[4926]: Failed password for root from 192.168.31.27 port 62305 ssh2
Jan 9 15:21:57 localhost sshd[4927]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:21:57 localhost sshd[4916]: Failed password for invalid user admin from 192.168.31.27 port 62296 ssh2
Jan 9 15:21:57 localhost sshd[4917]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:21:57 localhost sshd[4929]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27 user=root
Jan 9 15:21:57 localhost sshd[4931]: Invalid user admin from 192.168.31.27
Jan 9 15:21:57 localhost sshd[4918]: Failed password for root from 192.168.31.27 port 62297 ssh2
Jan 9 15:21:57 localhost sshd[4919]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:21:57 localhost sshd[4932]: input_userauth_request: invalid user admin
Jan 9 15:21:58 localhost sshd[4931]: pam_unix(sshd:auth): check pass; user unknown
Jan 9 15:21:58 localhost sshd[4931]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27
Jan 9 15:21:58 localhost sshd[4931]: pam_succeed_if(sshd:auth): error retrieving information about user admin
Jan 9 15:21:59 localhost sshd[4929]: Failed password for root from 192.168.31.27 port 62319 ssh2
Jan 9 15:21:59 localhost sshd[4930]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:21:59 localhost sshd[4934]: Invalid user admin1 from 192.168.31.27
Jan 9 15:21:59 localhost sshd[4935]: input_userauth_request: invalid user admin1
Jan 9 15:21:59 localhost sshd[4934]: pam_unix(sshd:auth): check pass; user unknown
Jan 9 15:21:59 localhost sshd[4934]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27
Jan 9 15:21:59 localhost sshd[4934]: pam_succeed_if(sshd:auth): error retrieving information about user admin1
Jan 9 15:22:00 localhost sshd[4931]: Failed password for invalid user admin from 192.168.31.27 port 62320 ssh2
Jan 9 15:22:00 localhost sshd[4932]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:22:00 localhost sshd[4936]: Invalid user Jh_Z_Oa0 from 192.168.31.27
Jan 9 15:22:00 localhost sshd[4937]: input_userauth_request: invalid user Jh_Z_Oa0
Jan 9 15:22:00 localhost sshd[4936]: pam_unix(sshd:auth): check pass; user unknown
Jan 9 15:22:00 localhost sshd[4936]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27
Jan 9 15:22:00 localhost sshd[4936]: pam_succeed_if(sshd:auth): error retrieving information about user Jh_Z_Oa0
Jan 9 15:22:00 localhost sshd[4938]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27 user=root
Jan 9 15:22:00 localhost sshd[4922]: input_userauth_request: invalid user guest
Jan 9 15:22:00 localhost sshd[4922]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:22:01 localhost sshd[4934]: Failed password for invalid user admin1 from 192.168.31.27 port 62334 ssh2
Jan 9 15:22:01 localhost sshd[4935]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:22:01 localhost sshd[4940]: Invalid user shelladmin from 192.168.31.27
Jan 9 15:22:01 localhost sshd[4941]: input_userauth_request: invalid user shelladmin
Jan 9 15:22:01 localhost sshd[4940]: pam_unix(sshd:auth): check pass; user unknown
Jan 9 15:22:01 localhost sshd[4940]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27
Jan 9 15:22:01 localhost sshd[4940]: pam_succeed_if(sshd:auth): error retrieving information about user shelladmin
Jan 9 15:22:02 localhost sshd[4936]: Failed password for invalid user Jh_Z_Oa0 from 192.168.31.27 port 62336 ssh2
Jan 9 15:22:02 localhost sshd[4937]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:22:02 localhost sshd[4938]: Failed password for root from 192.168.31.27 port 62349 ssh2
Jan 9 15:22:02 localhost sshd[4939]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:22:02 localhost sshd[4942]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27 user=root
Jan 9 15:22:03 localhost sshd[4940]: Failed password for invalid user shelladmin from 192.168.31.27 port 62356 ssh2
Jan 9 15:22:03 localhost sshd[4941]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:22:04 localhost sshd[4942]: Failed password for root from 192.168.31.27 port 62359 ssh2
Jan 9 15:22:04 localhost sshd[4943]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:22:05 localhost sshd[4951]: Invalid user manage from 192.168.31.27
Jan 9 15:22:05 localhost sshd[4953]: input_userauth_request: invalid user manage
Jan 9 15:22:05 localhost sshd[4951]: pam_unix(sshd:auth): check pass; user unknown
Jan 9 15:22:05 localhost sshd[4951]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27
Jan 9 15:22:05 localhost sshd[4951]: pam_succeed_if(sshd:auth): error retrieving information about user manage
Jan 9 15:22:06 localhost sshd[4924]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27 user=root
Jan 9 15:22:07 localhost sshd[4951]: Failed password for invalid user manage from 192.168.31.27 port 62440 ssh2
Jan 9 15:22:07 localhost sshd[4953]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:22:07 localhost sshd[4960]: Invalid user monitor from 192.168.31.27
Jan 9 15:22:07 localhost sshd[4961]: input_userauth_request: invalid user monitor
Jan 9 15:22:07 localhost sshd[4960]: pam_unix(sshd:auth): check pass; user unknown
Jan 9 15:22:07 localhost sshd[4960]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27
Jan 9 15:22:07 localhost sshd[4960]: pam_succeed_if(sshd:auth): error retrieving information about user monitor
Jan 9 15:22:07 localhost sshd[4924]: Failed password for root from 192.168.31.27 port 62304 ssh2
Jan 9 15:22:07 localhost sshd[4925]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:22:09 localhost sshd[4960]: Failed password for invalid user monitor from 192.168.31.27 port 62543 ssh2
Jan 9 15:22:09 localhost sshd[4961]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:22:09 localhost sshd[4974]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27 user=ftp
Jan 9 15:22:11 localhost sshd[4985]: Invalid user admin from 192.168.31.27
Jan 9 15:22:11 localhost sshd[4986]: input_userauth_request: invalid user admin
Jan 9 15:22:11 localhost sshd[4985]: pam_unix(sshd:auth): check pass; user unknown
Jan 9 15:22:11 localhost sshd[4985]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27
Jan 9 15:22:11 localhost sshd[4985]: pam_succeed_if(sshd:auth): error retrieving information about user admin
Jan 9 15:22:11 localhost sshd[4974]: Failed password for ftp from 192.168.31.27 port 62697 ssh2
Jan 9 15:22:11 localhost sshd[4975]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:22:13 localhost sshd[4985]: Failed password for invalid user admin from 192.168.31.27 port 62820 ssh2
Jan 9 15:22:13 localhost sshd[4986]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:22:13 localhost sshd[5009]: Did not receive identification string from UNKNOWN
Jan 9 15:22:14 localhost sshd[5015]: Invalid user cisco from 192.168.31.27
Jan 9 15:22:14 localhost sshd[5016]: input_userauth_request: invalid user cisco
Jan 9 15:22:15 localhost sshd[5015]: pam_unix(sshd:auth): check pass; user unknown
Jan 9 15:22:15 localhost sshd[5015]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27
Jan 9 15:22:15 localhost sshd[5015]: pam_succeed_if(sshd:auth): error retrieving information about user cisco
Jan 9 15:22:15 localhost sshd[5017]: Invalid user __user from 192.168.31.27
Jan 9 15:22:16 localhost sshd[5015]: Failed password for invalid user cisco from 192.168.31.27 port 63129 ssh2
Jan 9 15:22:16 localhost sshd[5016]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:22:17 localhost sshd[5023]: Invalid user Cisco from 192.168.31.27
Jan 9 15:22:17 localhost sshd[5024]: input_userauth_request: invalid user Cisco
Jan 9 15:22:17 localhost sshd[5023]: pam_unix(sshd:auth): check pass; user unknown
Jan 9 15:22:17 localhost sshd[5023]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27
Jan 9 15:22:17 localhost sshd[5023]: pam_succeed_if(sshd:auth): error retrieving information about user Cisco
Jan 9 15:22:19 localhost sshd[5023]: Failed password for invalid user Cisco from 192.168.31.27 port 63226 ssh2
Jan 9 15:22:19 localhost sshd[5024]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:22:19 localhost sshd[5030]: Invalid user from 192.168.31.27
Jan 9 15:22:19 localhost sshd[5031]: input_userauth_request: invalid user
Jan 9 15:22:19 localhost sshd[5031]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:22:20 localhost sshd[5040]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27 user=root
Jan 9 15:22:22 localhost sshd[5040]: Failed password for root from 192.168.31.27 port 63387 ssh2
Jan 9 15:22:22 localhost sshd[5041]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:22:22 localhost sshd[5053]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27 user=root
Jan 9 15:22:24 localhost sshd[5053]: Failed password for root from 192.168.31.27 port 63413 ssh2
Jan 9 15:22:24 localhost sshd[5054]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:22:25 localhost sshd[5018]: input_userauth_request: invalid user __user
Jan 9 15:22:25 localhost sshd[5017]: pam_unix(sshd:auth): check pass; user unknown
Jan 9 15:22:25 localhost sshd[5017]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27
Jan 9 15:22:25 localhost sshd[5017]: pam_succeed_if(sshd:auth): error retrieving information about user __user
Jan 9 15:22:27 localhost sshd[5017]: Failed password for invalid user __user from 192.168.31.27 port 63140 ssh2
Jan 9 15:22:27 localhost sshd[5018]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:22:27 localhost sshd[5108]: Invalid user __super from 192.168.31.27
Jan 9 15:22:27 localhost sshd[5109]: input_userauth_request: invalid user __super
Jan 9 15:22:27 localhost sshd[5108]: pam_unix(sshd:auth): check pass; user unknown
Jan 9 15:22:27 localhost sshd[5108]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27
Jan 9 15:22:27 localhost sshd[5108]: pam_succeed_if(sshd:auth): error retrieving information about user __super
Jan 9 15:22:29 localhost sshd[5108]: Failed password for invalid user __super from 192.168.31.27 port 63566 ssh2
Jan 9 15:22:29 localhost sshd[5109]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:23:12 localhost sshd[5670]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:23:12 localhost sshd[5675]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:23:12 localhost sshd[5678]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:23:13 localhost sshd[5680]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:23:18 localhost sshd[5682]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:23:18 localhost sshd[5694]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:23:18 localhost sshd[5697]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:23:18 localhost sshd[5699]: fatal: Read from socket failed: Connection reset by peer
Jan 9 15:23:18 localhost sshd[5700]: Invalid user vagrant from 192.168.31.27
Jan 9 15:23:19 localhost sshd[5701]: input_userauth_request: invalid user vagrant
Jan 9 15:23:19 localhost sshd[5701]: fatal: Read from socket failed: Connection reset by peer
六、进行history命令记录清理
1、修改 /etc/profile 将 HISTSIZE=1000改成0或1
清除用户home路径下 bash_history
2、立即清空history当前历史命令的记录
history –c
3、bash执行命令时不是马上把命令名称写入history文件的,二是放在内部的buffer中,等bash退出时会一并写入。不过调用history –w命令要求bash立即更新history文件。
history –w
七、介绍一款清理入侵痕迹工具——logtamper
注意使用logtamper,只能清除日志痕迹,而且主要针对utmp,wtmp,lastlog。而事实上,linux系统重要的会留下你的痕迹的日志有:lastlog、utmp、wtmp、message、syslog、sulog以及各种shell记录用户使用命令历史(history)
logtamper是一款*修改*linux日志的工具,在修改日志文件的同时,能够保留被修改文件的时间信息。