linux历史记录简易审计系统

1、有时候我们需要对线上用户的操作进行记录,可以进行追踪,出现问题追究责任,但是linux自带的history并不会实时的记录(仅仅在内存中,当用户正常退出(exit logout )时才会记录到history文件里),并且还有1000行的限制可以删除的;

为了保证让用户的操作进行实时记录;可以做一个简易的审计系统;审计用户的操作历史;

1:首先创建一个目录,这个目录是用来记录所有用户的操作历史的

[root@localhost_001 ~]# mkdir -p /usr/local/domob/records/

2:然后给目录777权限;(让任何用户都可以写入文件);

[root@localhost_001 ~]# chmod 777 /usr/local/domob/records/

3:还有给目录加上 t 权限;普通用户之间无法互相删除;

[root@localhost_001 ~]# chmod o+t /usr/local/domob/records/

4:在/etc/profile里添加如下内容;并执行立即生效命令:  source   /etc/profile

[root@localhost_001 ~]# vim /etc/profile

if [ ! -d /usr/local/domob/records/${LOGNAME} ]

then

mkdir -p /usr/local/domob/records/${LOGNAME}

chmod 300 /usr/local/domob/records/${LOGNAME}

fi

#需要声明变量;

export HISTORY_FILE="/usr/local/domob/records/${LOGNAME}/bash_history"

export PROMPT_COMMAND='{ date "+%Y-%m-%d %T ##### $(who am i |awk "{print \$1\" \"\$2\" \"\$5}") #### $(history 1 | { read x cmd; echo "$cmd"; })"; } >>$HISTORY_FILE'


[root@localhost_001 ~]# source /etc/profile

详细步骤

[root@localhost_001 ~]# mkdir -p /usr/local/domob/records/

[root@localhost_001 ~]# chmod 777 /usr/local/domob/records/

[root@localhost_001 ~]# chmod o+t /usr/local/domob/records/

[root@localhost_001 ~]# vim /etc/profile

if [ ! -d /usr/local/domob/records/${LOGNAME} ]

then

mkdir -p /usr/local/domob/records/${LOGNAME}

chmod 300 /usr/local/domob/records/${LOGNAME}

fi

export HISTORY_FILE="/usr/local/domob/records/${LOGNAME}/bash_history"

export PROMPT_COMMAND='{ date "+%Y-%m-%d %T ##### $(who am i |awk "{print \$1\" \"\$2\" \"\$5}") #### $(history 1 | { read x cmd; echo "$cmd"; })"; } >>$HISTORY_FILE'



​​​​​​​[root@localhost_001 ~]# source /etc/profile

2、然后在linux下root用户运行一些命令,然后去查看命令历史;

[root@localhost_001 ~]# cd

[root@localhost_001 ~]# pwd

/root

[root@localhost_001 ~]# ls

anaconda-ks.cfg CentOS7-Base-163.repo test

authorized_keys link test.txt

[root@localhost_001 ~]# cd /etc/sysconfig/network-scripts/

[root@localhost_001 network-scripts]# cd

3、然后去存放命令的目录下查看: /usr/local/domob/records/username

[root@localhost_001 ~]# cat /usr/local/domob/records/root/bash_history

2018-10-20 12:11:17 ##### root pts/0 (192.168.149.135) #### source /etc/profile

2018-10-20 12:11:20 ##### root pts/0 (192.168.149.135) #### cd

2018-10-20 12:11:21 ##### root pts/0 (192.168.149.135) #### pwd

2018-10-20 12:11:21 ##### root pts/0 (192.168.149.135) #### ls

2018-10-20 12:11:27 ##### root pts/0 (192.168.149.135) #### cd /etc/sysconfig/network-scripts/

2018-10-20 12:11:27 ##### root pts/0 (192.168.149.135) #### cd

4、我们切换到普通用户随意执行一些命令,然后查看是否会记录;

​​​​​​​[root@localhost_001 ~]# su - fenye

上一次登录:四 10月 18 22:35:24 CST 2018pts/0 上

[fenye@localhost_001 etc]$ cd

[fenye@localhost_001 ~]$ pwd

/home/fenye

[fenye@localhost_001 ~]$ cd

[fenye@localhost_001 ~]$ ksjd;lsdjf

-bash: ksjd: 未找到命令

-bash: lsdjf: 未找到命令

[fenye@localhost_001 ~]$

[fenye@localhost_001 ~]$ cd /etc/

[fenye@localhost_001 etc]$ cd

[fenye@localhost_001 ~]$ ls

[fenye@localhost_001 ~]$ klsd;ksjfksf

-bash: klsd: 未找到命令

-bash: ksjfksf: 未找到命令

注释:查看/usr/local/domob/relcords已记录,但是无法打开,因为普通用户只有写入的权限;

[fenye@localhost_001 ~]$ cd /usr/local/domob/records/

fenye/ root/

[fenye@localhost_001 ~]$ cd /usr/local/domob/records/fenye/

[fenye@localhost_001 fenye]$ ls

ls: 无法打开目录.: 权限不够

切换至root用户,查看其用户的历史命令是否有记录;有记录;

[fenye@localhost_001 fenye]$ exit

登出

[root@localhost_001 ~]# cat /usr/local/domob/records/

fenye/ root/

[root@localhost_001 ~]# cat /usr/local/domob/records/fenye/bash_history

2018-10-20 12:17:52 ##### root pts/0 (192.168.149.135) ####

2018-10-20 12:17:54 ##### root pts/0 (192.168.149.135) #### ls

2018-10-20 12:17:55 ##### root pts/0 (192.168.149.135) #### klsjdkfs

2018-10-20 12:17:56 ##### root pts/0 (192.168.149.135) #### jsjfkls

2018-10-20 12:17:57 ##### root pts/0 (192.168.149.135) #### ls

2018-10-20 12:17:58 ##### root pts/0 (192.168.149.135) #### pwd

2018-10-20 12:17:58 ##### root pts/0 (192.168.149.135) #### cd

2018-10-20 12:18:01 ##### root pts/0 (192.168.149.135) #### cd /etc/

2018-10-20 12:18:02 ##### root pts/0 (192.168.149.135) #### ls

2018-10-20 12:18:04 ##### root pts/0 (192.168.149.135) #### cd

2018-10-20 12:18:09 ##### root pts/0 (192.168.149.135) #### pwd

2018-10-20 12:18:10 ##### root pts/0 (192.168.149.135) #### cd

转载于:https://my.oschina.net/yuanhaohao/blog/2249855

 

你可能感兴趣的:(Linux,转发文章,linux)