linux安全之历史命令追踪

修改配置文件查看任何登录主机的用户在任何时间执行的任何命令
一 为history 命令添加日期时间显示

[root@web44 ~]# vim /etc/bashrc
HISTTIMEFORMAT="%Y-%m-%d:%H-%M-%S:`whoami`:  "
export HISTTIMEFORMAT
//加入这两行

二 脚步记录所有用户登陆服务器上的所有操作命令

[root@web44 ~]# vim /etc/profile             //配置文件最下方加入以下代码
 history
 USER=`whoami`
 USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'`
 if [ "$USER_IP" = "" ]; then
 USER_IP=`hostname`
 fi
 if [ ! -d /var/log/history ]; then
 mkdir /var/log/history
 chmod 777 /var/log/history
 fi
 if [ ! -d /var/log/history/${LOGNAME} ]; then
 mkdir /var/log/history/${LOGNAME}
 chmod 300 /var/log/history/${LOGNAME}
 fi
 export HISTSIZE=4096
 DT=`date +"%Y%m%d_%H:%M:%S"`
 export HISTFILE="/var/log/history/${LOGNAME}/${USER}@${USER_IP}_$DT"
 chmod 600 /var/log/history/${LOGNAME}/*history* 2>/dev/null

三 重载使配置文件立刻生效

[root@web44 ~]# source /etc/bashrc
[root@web44 ~]# source /etc/profile

四 查看历史命令记录

[root@web44 ~]# history 
    1  2018-12-08:10-34-15:root:  systemctl set-default multi-user.target 
    2  2018-12-08:10-34-15:root:  systemctl stop firewalld.service 
    3  2018-12-08:10-34-15:root:  systemctl disable firewalld.service 
    4  2018-12-08:10-34-15:root:  vim /etc/selinux/config 
    5  2018-12-08:10-34-15:root:  grubby --update-kernel=ALL --args="console=ttyS0"
    6  2018-12-08:10-34-15:root:  reboot 
    7  2018-12-08:10-34-15:root:  nmcli connection modify eth0 ipv4.method manual ipv4.addresses 192.168.4.44/24 connection.autoconnect yes
    8  2018-12-08:10-34-15:root:  nmcli connection up eth0
    9  2018-12-08:10-34-15:root:  hostnamectl set-hostname web44
   10  2018-12-08:10-34-15:root:  exit