linux数据稽核脚本,Linux 系统 审计 脚本

这个系统审计,就是在系统级别,记录什么用户,在什么时间,做了什么操作。 然后将查到的信息记录到一个文件里。

一. 审计配置

1. 在/etc/profile 文件的最后,添加如下2行代码:

export HISTORY_FILE=/var/log/audit.log

export PROMPT_COMMAND='{ z=$(history 1 | { read x y; echo -e "$x --- $y"; });a=`who am i | awk "{print \\$1\" \"\\$2\" \"\\$6}"`;c=`echo $z | awk "{print $1}"`;if [[ `grep "$a \-\-\- $c" $HISTORY_FILE` = "" ]];then echo -e $(date "+%Y-%m-%d_%H:%M:%S") --- $a --- $z;fi;} >> $HISTORY_FILE'

说明:

/etc/profile: 此文件为系统的每个用户设置环境信息,当用户第一次登录时,该文件被执行.并从/etc/profile.d目录的配置文件中搜集shell的设置.

具体参考:

.bash_profile 和 .bashrc 区别

这个代码其实就是把一些显示的信息导入到audit.log 文件。

>> : 追加到文件的最后

> : 覆盖原文件

[root@ db2 ~]# date "+%Y-%m-%d_%H:%M:%S"

2011-03-04_14:16:12

[root@ db2 ~]# who am i

root     pts/1        Mar  4 13:14 (192.168.3.115)

[root@ db2 ~]# who am i | awk "{print \$1\" \"\$2\" \"\$6}"

root pts/1 (192.168.3.115)

2. 创建保存审计信息的文件并赋权

[root@ db2 ~]# touch /var/log/audit.log

[root@ db2 ~]# chmod 777 /var/log/audit.log

audit.log 是所有用户都可以往里面写信息,所以所有用户都可以修改这个文件。 关于777 赋权这块如果有不清楚的,参考我的Blog:

Linux chmod 命令 详解

二.  验证

[root@db2 ~]# cat /var/log/audit.log

2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit

[root@db2 ~]# cat /var/log/audit.log

2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit

2011-03-04_13:59:27 --- root pts/2 (192.168.3.115) --- 431 --- cat /var/log/audit.log

[root@db2 ~]# su - oracle

[oracle@db2 ~]$ cat /var/log/audit.log

2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit

2011-03-04_13:59:27 --- root pts/2 (192.168.3.115) --- 431 --- cat /var/log/audit.log

2011-03-04_13:59:30 --- root pts/2 (192.168.3.115) --- 432 --- cat /var/log/audit.log

2011-03-04_13:59:35 --- root pts/2 (192.168.3.115) --- 200 --- exit

[oracle@db2 ~]$ cat /var/log/audit.log

2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit

2011-03-04_13:59:27 --- root pts/2 (192.168.3.115) --- 431 --- cat /var/log/audit.log

2011-03-04_13:59:30 --- root pts/2 (192.168.3.115) --- 432 --- cat /var/log/audit.log

2011-03-04_13:59:35 --- root pts/2 (192.168.3.115) --- 200 --- exit

2011-03-04_13:59:43 --- root pts/2 (192.168.3.115) --- 201 --- cat /var/log/audit.log

[oracle@db2 ~]$ cd $ORACLE_HOME

[oracle@db2 db_1]$ cat /var/log/audit.log

2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit

2011-03-04_13:59:27 --- root pts/2 (192.168.3.115) --- 431 --- cat /var/log/audit.log

2011-03-04_13:59:30 --- root pts/2 (192.168.3.115) --- 432 --- cat /var/log/audit.log

2011-03-04_13:59:35 --- root pts/2 (192.168.3.115) --- 200 --- exit

2011-03-04_13:59:43 --- root pts/2 (192.168.3.115) --- 201 --- cat /var/log/audit.log

2011-03-04_13:59:46 --- root pts/2 (192.168.3.115) --- 202 --- cat /var/log/audit.log

2011-03-04_13:59:55 --- root pts/2 (192.168.3.115) --- 203 --- cd $ORACLE_HOME

[oracle@db2 db_1]$ cat /var/log/audit.log

2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit

2011-03-04_13:59:27 --- root pts/2 (192.168.3.115) --- 431 --- cat /var/log/audit.log

2011-03-04_13:59:30 --- root pts/2 (192.168.3.115) --- 432 --- cat /var/log/audit.log

2011-03-04_13:59:35 --- root pts/2 (192.168.3.115) --- 200 --- exit

2011-03-04_13:59:43 --- root pts/2 (192.168.3.115) --- 201 --- cat /var/log/audit.log

2011-03-04_13:59:46 --- root pts/2 (192.168.3.115) --- 202 --- cat /var/log/audit.log

2011-03-04_13:59:55 --- root pts/2 (192.168.3.115) --- 203 --- cd $ORACLE_HOME

2011-03-04_13:59:57 --- root pts/2 (192.168.3.115) --- 204 --- cat /var/log/audit.log

2011-03-04_14:00:46 --- root pts/4 (192.168.3.115) --- 430 --- exit

2011-03-04_14:01:09 --- oracle pts/4 (192.168.3.115) --- 200 --- exit

说明:

这里记录的用户信息,是用户第一次连接的的用户,如:我用用户A连接到服务器,那么记录的是A用户的操作。 假设这个时候我用su 切换到用户B,这时记录的还是用户A。

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值