完善bash历史命令审核


1. 下载bash-4.2版本源码包,修改其中的源代码重新编译安装:


wget http://mirrors.ustc.edu.cn/gnu/bash/bash-4.2.tar.gz


2. 修改源码包中的根目录下 config-top.h 文件.

#define SSH_SOURCE_BASHRC
#define SYSLOG_HISTORY

去掉以上两项的注释即可


3. 修改源码包中根目录下 bashhist.c 文件,大概在705行.


/* void
bash_syslog_history (line)
     const char *line;
{
  char trunc[SYSLOG_MAXLEN];


  if (strlen(line) < SYSLOG_MAXLEN)
    syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY: PID=%d UID=%d %s", getpid(), current_user.uid, line);
  else
    {
      strncpy (trunc, line, SYSLOG_MAXLEN);
      trunc[SYSLOG_MAXLEN - 1] = '\0';
      syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY (TRUNCATED): PID=%d UID=%d %s", getpid(), current_user.uid, trunc);
    }
}
*/
注释以上的代码,添加一下代码:
# ---------------------------------------------------------------------------------------------------------------- #
void
bash_syslog_history (line)
     const char *line;
{
  char trunc[SYSLOG_MAXLEN];
     const char *p;
     p = getenv("NAME_OF_KEY");
  if (strlen(line) < SYSLOG_MAXLEN)
    syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY: PID=%d PPID=%d SID=%d  User=%s USER=%s CMD=%s", getpid(), getppid(), getsid(getpid()),  current_user.user_name, p, line);
  else
    {
      strncpy (trunc, line, SYSLOG_MAXLEN);
      trunc[SYSLOG_MAXLEN - 1] = '\0';
      syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY (TRUNCATED): PID=%d  PPID=%d SID=%d User=%s USER=%s CMD=%s", getpid(), getppid(), getsid(getpid()), current_user.user_name, p, trunc);
    }
}
# ---------------------------------------------------------------------------------------------------------------- #


4. 编译安装,默认安装在 /usr/local/bin/ 下


./configure && make && make install



5. 用以下脚本内容重写 /root/.bashrc 文件.

# .bashrc
fcomp="/tmp/file"
authorized_keys="$HOME/.ssh/authorized_keys"
secure="/var/log/secure"
record="/var/log/login"
rsager=$(awk -vp=$PPID '/Found matching RSA key/ && $0~p {f=$NF}END{print f}' $secure)
mkdir -p $record

while read LINE
do
        echo $LINE > $fcomp
        name=$(echo $LINE|awk '{print $3}')
        nowrsa=$(ssh-keygen -lf $fcomp|awk '{print $2}')
        if [[ $rsager = $nowrsa ]];then
                NAME_OF_KEY=$name
                readonly NAME_OF_KEY
                export NAME_OF_KEY HISTFILE="$record/$name"
        fi
done < $authorized_keys
rm $fcomp

[ "$BASH_EXECUTION_STRING" ] && logger -t -bash -s "HISTORY $SSH_CLIENT USER=$NAME_OF_KEY CMD=$BASH_EXECUTION_STRING " &>/dev/null

# User specific aliases and functions

alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'

# Source global definitions
if [ -f /etc/bashrc ]; then
        . /etc/bashrc
fi

6. 修改 /etc/passwd 中的登录shell

sed -i.bak 's#/bin/bash#/usr/local/bin/bash#g' /etc/passwd
mv /bin/{bash,bash.bak}
ln -s /usr/local/bin/bash /bin/bash



重新登陆了即可.


参考: http://m.oschina.net/blog/78441

你可能感兴趣的:(linux)