最新消息:

linux简单用户行为审计,保留history

history admin 5322浏览 0评论

1.创建用户审计文件存放目录和审计日志文件 ;

mkdir -p /var/log/aikaiyuan/

2.创建用户审计日志文件;

echo usermonitor >/var/log/aikaiyuan/aikaiyuan.log

3.将日志文件所有者赋予一个最低权限的用户;

chown nobody:nobody /var/log/aikaiyuan/aikaiyuan.log

4.给该日志文件赋予所有人的写权限;

chmod 002 /var/log/aikaiyuan/aikaiyuan.log

5.设置文件权限,使所有用户对该文件只有追加权限 ;

chattr +a /var/log/aikaiyuan/aikaiyuan.log

6.编辑/etc/profile文件,添加如下任意脚本命令;

代码1:

export HISTORY_FILE=/var/log/aikaiyuan/aikaiyuan.log
export PROMPT_COMMAND='{ date "+%y-%m-%d %T ##### $(who am i |awk "{print \$1\" \"\$2\" \"\$5}")  #### $(id|awk "{print \$1}") #### $(history 1 | { read x cmd; echo "$cmd"; })"; } >>$HISTORY_FILE'

代码2:

HISTTIMEFORMAT="%Y%m%d-%H%M%S: "
export HISTTIMEFORMAT

export HISTORY_FILE=/var/log/aikaiyuan/aikaiyuan.log
export PROMPT_COMMAND='{ command=$(history 1 | { read x y; echo $y; }); logger -p local1.notice -t bash -i "user=$USER,ppid=$PPID,from=$SSH_CLIENT,pwd=$PWD,command:$command"; } >>$HISTORY_FILE'

代码3:

export HISTORY_FILE=/var/log/aikaiyuan/aikaiyuan.log
export PROMPT_COMMAND='{ date "+%Y-%m-%d %T ##### USER:$USER IP:$SSH_CLIENT PS:$SSH_TTY ppid=$PPID pwd=$PWD  #### $(history 1 | { read x cmd; echo "$cmd"; })";} >>$HISTORY_FILE'

7.使配置生效

source  /etc/profile
or
. /etc/profile

转载请注明:爱开源 » linux简单用户行为审计,保留history

您必须 登录 才能发表评论!