1、有时候我们需要对线上用户的操作进行记录,可以进行追踪,出现问题追究责任,但是linux自带的history并不会实时的记录(仅仅在内存中,当用户正常退出(exit logout )时才会记录到history文件里),并且还有1000行的限制可以删除的;
为了保证让用户的操作进行实时记录;可以做一个简易的审计系统;审计用户的操作历史;
1:首先创建一个目录,这个目录是用来记录所有用户的操作历史的;
[root@localhost_001 ~]# mkdir -p /usr/local/domob/records/
2:然后给目录777权限;(让任何用户都可以写入文件);
[root@localhost_001 ~]# chmod 777 /usr/local/domob/records/
3:还有给目录加上 t 权限;普通用户之间无法互相删除;
[root@localhost_001 ~]# chmod o+t /usr/local/domob/records/
4:在/etc/profile里添加如下内容;并执行立即生效命令: source /etc/profile
[root@localhost_001 ~]# vim /etc/profile
if [ ! -d /usr/local/domob/records/${LOGNAME} ]
then
mkdir -p /usr/local/domob/records/${LOGNAME}
chmod 300 /usr/local/domob/records/${LOGNAME}
fi
#需要声明变量;
export HISTORY_FILE="/usr/local/domob/records/${LOGNAME}/bash_history"
export PROMPT_COMMAND='{ date "+%Y-%m-%d %T ##### $(who am i |awk "{print \$1\" \"\$2\" \"\$5}") #### $(history 1 | { read x cmd; echo "$cmd"; })"; } >>$HISTORY_FILE'
[root@localhost_001 ~]# source /etc/profile
详细步骤;
[root@localhost_001 ~]# mkdir -p /usr/local/domob/records/
[root@localhost_001 ~]# chmod 777 /usr/local/domob/records/
[root@localhost_001 ~]# chmod o+t /usr/local/domob/records/
[root@localhost_001 ~]# vim /etc/profile
if [ ! -d /usr/local/domob/records/${LOGNAME} ]
then
mkdir -p /usr/local/domob/records/${LOGNAME}
chmod 300 /usr/local/domob/records/${LOGNAME}
fi
export HISTORY_FILE="/usr/local/domob/records/${LOGNAME}/bash_history"
export PROMPT_COMMAND='{ date "+%Y-%m-%d %T ##### $(who am i |awk "{print \$1\" \"\$2\" \"\$5}") #### $(history 1 | { read x cmd; echo "$cmd"; })"; } >>$HISTORY_FILE'
[root@localhost_001 ~]# source /etc/profile
2、然后在linux下root用户运行一些命令,然后去查看命令历史;
[root@localhost_001 ~]# cd
[root@localhost_001 ~]# pwd
/root
[root@localhost_001 ~]# ls
anaconda-ks.cfg CentOS7-Base-163.repo test
authorized_keys link test.txt
[root@localhost_001 ~]# cd /etc/sysconfig/network-scripts/
[root@localhost_001 network-scripts]# cd
3、然后去存放命令的目录下查看: /usr/local/domob/records/username
[root@localhost_001 ~]# cat /usr/local/domob/records/root/bash_history
2018-10-20 12:11:17 ##### root pts/0 (192.168.149.135) #### source /etc/profile
2018-10-20 12:11:20 ##### root pts/0 (192.168.149.135) #### cd
2018-10-20 12:11:21 ##### root pts/0 (192.168.149.135) #### pwd
2018-10-20 12:11:21 ##### root pts/0 (192.168.149.135) #### ls
2018-10-20 12:11:27 ##### root pts/0 (192.168.149.135) #### cd /etc/sysconfig/network-scripts/
2018-10-20 12:11:27 ##### root pts/0 (192.168.149.135) #### cd
4、我们切换到普通用户随意执行一些命令,然后查看是否会记录;
[root@localhost_001 ~]# su - fenye
上一次登录:四 10月 18 22:35:24 CST 2018pts/0 上
[fenye@localhost_001 etc]$ cd
[fenye@localhost_001 ~]$ pwd
/home/fenye
[fenye@localhost_001 ~]$ cd
[fenye@localhost_001 ~]$ ksjd;lsdjf
-bash: ksjd: 未找到命令
-bash: lsdjf: 未找到命令
[fenye@localhost_001 ~]$
[fenye@localhost_001 ~]$ cd /etc/
[fenye@localhost_001 etc]$ cd
[fenye@localhost_001 ~]$ ls
[fenye@localhost_001 ~]$ klsd;ksjfksf
-bash: klsd: 未找到命令
-bash: ksjfksf: 未找到命令
注释:查看/usr/local/domob/relcords已记录,但是无法打开,因为普通用户只有写入的权限;
[fenye@localhost_001 ~]$ cd /usr/local/domob/records/
fenye/ root/
[fenye@localhost_001 ~]$ cd /usr/local/domob/records/fenye/
[fenye@localhost_001 fenye]$ ls
ls: 无法打开目录.: 权限不够
切换至root用户,查看其用户的历史命令是否有记录;有记录;
[fenye@localhost_001 fenye]$ exit
登出
[root@localhost_001 ~]# cat /usr/local/domob/records/
fenye/ root/
[root@localhost_001 ~]# cat /usr/local/domob/records/fenye/bash_history
2018-10-20 12:17:52 ##### root pts/0 (192.168.149.135) ####
2018-10-20 12:17:54 ##### root pts/0 (192.168.149.135) #### ls
2018-10-20 12:17:55 ##### root pts/0 (192.168.149.135) #### klsjdkfs
2018-10-20 12:17:56 ##### root pts/0 (192.168.149.135) #### jsjfkls
2018-10-20 12:17:57 ##### root pts/0 (192.168.149.135) #### ls
2018-10-20 12:17:58 ##### root pts/0 (192.168.149.135) #### pwd
2018-10-20 12:17:58 ##### root pts/0 (192.168.149.135) #### cd
2018-10-20 12:18:01 ##### root pts/0 (192.168.149.135) #### cd /etc/
2018-10-20 12:18:02 ##### root pts/0 (192.168.149.135) #### ls
2018-10-20 12:18:04 ##### root pts/0 (192.168.149.135) #### cd
2018-10-20 12:18:09 ##### root pts/0 (192.168.149.135) #### pwd
2018-10-20 12:18:10 ##### root pts/0 (192.168.149.135) #### cd
转载于:https://my.oschina.net/yuanhaohao/blog/2249855