bash 历史命令送入syslog

最新推荐文章于 2022-11-12 22:28:35 发布

createAmind公众号

最新推荐文章于 2022-11-12 22:28:35 发布

阅读量182

点赞数

文章标签： Bash C C++ C# MySQL

本文链接：https://blog.csdn.net/zdx3578/article/details/83673159

版权

cat bashhist.c |grep pid

syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY: PPID=%d PID=%d UID=%d %s", getppid(), getpid(), current_user.uid, line);
syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY (TRUNCATED): PPID=%d PID=%d UID=%d %s", getppid(), getpid(), current_user.uid, trunc);

这样可以显示ppid，跟踪sh切换后的用户

bash 4.1 增加了syslog 历史命令的功能，编译时 vi config-top.h 將此行/*#define SYSLOG_HISTORY*/ 修改為#define SYSLOG_HISTORY ‧./configure & make ‧ make install 這樣就可以使用bash-4.1 的新功能了，历史命令保存到syslog！

cat bashhist.c |grep pid
syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY:SID=%d PPID=%d PID=%d UID=%d %s", getsid(getpid()), getppid(), getpid(), current_user.uid, line);
syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY (TRUNCATED):SID=%d PPID=%d PID=%d UID=%d %s", getsid(getpid()), getppid(), getpid(), current_user.uid, trunc);

增加sid 用户切换也可以跟踪，su - mysql等等

sed -e 's/HISTORY: PID=%d UID=%d %s", getpid(),/HISTORY:SID=%d PPID=%d PID=%d UID=%d %s", getsid(getpid()), getppid(), getpid(),/' -e 's/HISTORY (TRUNCATED): PID=%d UID=%d %s", getpid(),/HISTORY (TRUNCATED):SID=%d PPID=%d PID=%d UID=%d %s", getsid(getpid()), getppid(), getpid(),/' bashhist.c>bashhist.c.1;mv bashhist.c bashhist.c.2;mv bashhist.c.1 bashhist.c; diff bashhist.c bashhist.c.2

bash升级、增加syslog功能并统一记录到日志服务器、记录history命令、并可以取出key登录的key-comment用户名和ip，

http://blog.hellosa.org/2013/07/27/log-bash-history-to-syslog-on-centos-6.html

http://www.366yw.com/?p=590