Bash记录用户操作 -- PROMPT_COMMAND

一、配置命令记录 -- /etc/profile.d/usercmd.sh

1. 设置HISTTIMEFORMAT -- 命令执行时间

export HISTTIMEFORMAT="[%H:%M:%S] "

2. 设置PROMPT_COMMAND

a. 命令用双引号包括，记录命令中间及后面的空白符

export PROMPT_COMMAND='
msg="[$( date +"%F %T" )] \
$(whoami) \
\"$( history 1 | sed -r "s|^[ \t]+[0-9]+[ \t]+||" )\" \
FROM $( who am i | sed -r "s|^([^ \t]+)[ \t]+([^ \t]+)[ \t]+(.+)[ \t]+(\(.+\))|\1 \2 \4|" ) \
"; \
echo "$msg" \
>>/var/log/usercmd.log
'

b. 命令用双引号包括，无法记录命令中间及后面的空白符

export PROMPT_COMMAND='
echo [$( date +"%F %T" )] \
$(whoami) \
$( history 1 | ( read num cmd ; echo \"$cmd\" ) ) \
FROM $( who am i | sed -r "s|^([^ \t]+)[ \t]+([^ \t]+)[ \t]+(.+)[ \t]+(\(.+\))|\1 \2 \4|" ) \
>>/var/log/usercmd.log
'

c. 命令用花括号包括，记录命令中间及后面的空白符

export PROMPT_COMMAND='
echo [$( date +"%F %T" )] \
$(whoami) \
{"$( history 1 | sed -r "s|^[ \t]+[0-9]+[ \t]+||" )"} \
FROM \
$( who am i | sed -r "s|^([^ \t]+)[ \t]+([^ \t]+)[ \t]+(.+)[ \t]+(\(.+\))|\1 \2 \4|" ) \
>>/var/log/usercmd.log
'

二、配置日志文件备份 -- /etc/logrotate.d/usercmd

/var/log/usercmd.log
{
    compress
    dateext
    maxage 365
    rotate 99
    missingok
    notifempty
    size +4096k
    create 622 root root
}