这个系统审计,就是在系统级别,记录什么用户,在什么时间,做了什么操作。 然后将查到的信息记录到一个文件里。
一. 审计配置
1. 在/etc/profile 文件的最后,添加如下2行代码:
export HISTORY_FILE=/var/log/audit.log
export PROMPT_COMMAND='{ z=$(history 1 | { read x y; echo -e "$x --- $y"; });a=`who am i | awk "{print \\$1\" \"\\$2\" \"\\$6}"`;c=`echo $z | awk "{print $1}"`;if [[ `grep "$a \-\-\- $c" $HISTORY_FILE` = "" ]];then echo -e $(date "+%Y-%m-%d_%H:%M:%S") --- $a --- $z;fi;} >> $HISTORY_FILE'
说明:
/etc/profile: 此文件为系统的每个用户设置环境信息,当用户第一次登录时,该文件被执行.并从/etc/profile.d目录的配置文件中搜集shell的设置.
具体参考:
.bash_profile 和 .bashrc 区别
这个代码其实就是把一些显示的信息导入到audit.log 文件。
>> : 追加到文件的最后
> : 覆盖原文件
[root@ db2 ~]# date "+%Y-%m-%d_%H:%M:%S"
2011-03-04_14:16:12
[root@ db2 ~]# who am i
root pts/1 Mar 4 13:14 (192.168.3.115)
[root@ db2 ~]# who am i | awk "{print \$1\" \"\$2\" \"\$6}"
root pts/1 (192.168.3.115)
2. 创建保存审计信息的文件并赋权
[root@ db2 ~]# touch /var/log/audit.log
[root@ db2 ~]# chmod 777 /var/log/audit.log
audit.log 是所有用户都可以往里面写信息,所以所有用户都可以修改这个文件。 关于777 赋权这块如果有不清楚的,参考我的Blog:
Linux chmod 命令 详解
二. 验证
[root@db2 ~]# cat /var/log/audit.log
2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit
[root@db2 ~]# cat /var/log/audit.log
2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit
2011-03-04_13:59:27 --- root pts/2 (192.168.3.115) --- 431 --- cat /var/log/audit.log
[root@db2 ~]# su - oracle
[oracle@db2 ~]$ cat /var/log/audit.log
2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit
2011-03-04_13:59:27 --- root pts/2 (192.168.3.115) --- 431 --- cat /var/log/audit.log
2011-03-04_13:59:30 --- root pts/2 (192.168.3.115) --- 432 --- cat /var/log/audit.log
2011-03-04_13:59:35 --- root pts/2 (192.168.3.115) --- 200 --- exit
[oracle@db2 ~]$ cat /var/log/audit.log
2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit
2011-03-04_13:59:27 --- root pts/2 (192.168.3.115) --- 431 --- cat /var/log/audit.log
2011-03-04_13:59:30 --- root pts/2 (192.168.3.115) --- 432 --- cat /var/log/audit.log
2011-03-04_13:59:35 --- root pts/2 (192.168.3.115) --- 200 --- exit
2011-03-04_13:59:43 --- root pts/2 (192.168.3.115) --- 201 --- cat /var/log/audit.log
[oracle@db2 ~]$ cd $ORACLE_HOME
[oracle@db2 db_1]$ cat /var/log/audit.log
2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit
2011-03-04_13:59:27 --- root pts/2 (192.168.3.115) --- 431 --- cat /var/log/audit.log
2011-03-04_13:59:30 --- root pts/2 (192.168.3.115) --- 432 --- cat /var/log/audit.log
2011-03-04_13:59:35 --- root pts/2 (192.168.3.115) --- 200 --- exit
2011-03-04_13:59:43 --- root pts/2 (192.168.3.115) --- 201 --- cat /var/log/audit.log
2011-03-04_13:59:46 --- root pts/2 (192.168.3.115) --- 202 --- cat /var/log/audit.log
2011-03-04_13:59:55 --- root pts/2 (192.168.3.115) --- 203 --- cd $ORACLE_HOME
[oracle@db2 db_1]$ cat /var/log/audit.log
2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit
2011-03-04_13:59:27 --- root pts/2 (192.168.3.115) --- 431 --- cat /var/log/audit.log
2011-03-04_13:59:30 --- root pts/2 (192.168.3.115) --- 432 --- cat /var/log/audit.log
2011-03-04_13:59:35 --- root pts/2 (192.168.3.115) --- 200 --- exit
2011-03-04_13:59:43 --- root pts/2 (192.168.3.115) --- 201 --- cat /var/log/audit.log
2011-03-04_13:59:46 --- root pts/2 (192.168.3.115) --- 202 --- cat /var/log/audit.log
2011-03-04_13:59:55 --- root pts/2 (192.168.3.115) --- 203 --- cd $ORACLE_HOME
2011-03-04_13:59:57 --- root pts/2 (192.168.3.115) --- 204 --- cat /var/log/audit.log
2011-03-04_14:00:46 --- root pts/4 (192.168.3.115) --- 430 --- exit
2011-03-04_14:01:09 --- oracle pts/4 (192.168.3.115) --- 200 --- exit
说明:
这里记录的用户信息,是用户第一次连接的的用户,如:我用用户A连接到服务器,那么记录的是A用户的操作。 假设这个时候我用su 切换到用户B,这时记录的还是用户A。