linux审计用户命令
2014-07-09 16:23
288 查看
kb_linux_audit_user_command.txt
http://rickie622.blog.163.com/blog/static/212388112014226101625488/
推荐使用第一种方法,如下
jun:/var/log # cat /etc/profile.local
HISTSIZE=1000
HISTTIMEFORMAT="%D %T "
#function log2syslog
#{
# declare command
# command=$(fc -ln -0)
# logger -p local1.notice -t bash -i -- $SSH_CLIENT :$USER : $command
#}
#trap log2syslog DEBUG
export HISTORY_FILE=/tmp/history.log
export PROMPT_COMMAND='{ thisHistID=`history 1|awk "{print\\$1}"`;lastCommand=`history 1| awk "{\\$1=\"\" ;print}"`;user=`id $(whoami)`;whoStr=(`who -u am i`);realUser=${whoStr[0]};logMonth=${whoStr[2]};logDay=${whoStr[3]};logTime=${whoStr[4]};pid=${whoStr[6]};ip=${whoStr[7]};if
[ ${thisHistID}x != ${lastHistID}x ];then echo -E `date "+%Y/%m/%d %H:%M:%S"` $user\($realUser\)@$ip[PID:$pid][LOGIN:$logMonth $logDay $logTime] --- $lastCommand ;lastHistID=$thisHistID;fi; } >> $HISTORY_FILE'
记录了时间,username , ssh ip (见以下红色字体,本机ip 是 147.2.147.181) , 而且是实时记录。
2014/07/09 15:41:58 (root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:41 .] --- 07/09/14 15:41:54 exit
2014/07/09 15:44:40 (root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:41 .] --- 07/09/14 15:42:08 vi /etc/profile.local
2014/07/09 15:44:45 (root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:41 .] --- 07/09/14 15:44:45 id $(whoami)
2014/07/09 15:44:59 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:44:55 exit
2014/07/09 15:45:02 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:45:02 ls
2014/07/09 15:45:05 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:45:04 cd /var/log/
2014/07/09 15:45:05 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:45:05 ls
2014/07/09 15:45:21 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:45:09 tailf /var/log/messages
2014/07/09 15:45:39 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:45:26 vi /tmp/history.log
2014/07/09 15:46:29 uid=1000(hujun) gid=100(users) groups=100(users),7(lp),475(vboxusers)(hujun)@[PID:(147.2.147.78)][LOGIN:2014-07-09 15:46 .] --- 07/09/14 15:46:06 exit
2014/07/09 15:46:36 uid=1000(hujun) gid=100(users) groups=100(users),7(lp),475(vboxusers)(hujun)@[PID:(147.2.147.78)][LOGIN:2014-07-09 15:46 .] --- 07/09/14 15:46:36 cd /usr/local/
2014/07/09 15:46:36 uid=1000(hujun) gid=100(users) groups=100(users),7(lp),475(vboxusers)(hujun)@[PID:(147.2.147.78)][LOGIN:2014-07-09 15:46 .] --- 07/09/14 15:46:36 ls
2014/07/09 15:47:06 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:47:06 cat /etc/profile.local
http://rickie622.blog.163.com/blog/static/212388112014226101625488/
推荐使用第一种方法,如下
jun:/var/log # cat /etc/profile.local
HISTSIZE=1000
HISTTIMEFORMAT="%D %T "
#function log2syslog
#{
# declare command
# command=$(fc -ln -0)
# logger -p local1.notice -t bash -i -- $SSH_CLIENT :$USER : $command
#}
#trap log2syslog DEBUG
export HISTORY_FILE=/tmp/history.log
export PROMPT_COMMAND='{ thisHistID=`history 1|awk "{print\\$1}"`;lastCommand=`history 1| awk "{\\$1=\"\" ;print}"`;user=`id $(whoami)`;whoStr=(`who -u am i`);realUser=${whoStr[0]};logMonth=${whoStr[2]};logDay=${whoStr[3]};logTime=${whoStr[4]};pid=${whoStr[6]};ip=${whoStr[7]};if
[ ${thisHistID}x != ${lastHistID}x ];then echo -E `date "+%Y/%m/%d %H:%M:%S"` $user\($realUser\)@$ip[PID:$pid][LOGIN:$logMonth $logDay $logTime] --- $lastCommand ;lastHistID=$thisHistID;fi; } >> $HISTORY_FILE'
记录了时间,username , ssh ip (见以下红色字体,本机ip 是 147.2.147.181) , 而且是实时记录。
2014/07/09 15:41:58 (root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:41 .] --- 07/09/14 15:41:54 exit
2014/07/09 15:44:40 (root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:41 .] --- 07/09/14 15:42:08 vi /etc/profile.local
2014/07/09 15:44:45 (root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:41 .] --- 07/09/14 15:44:45 id $(whoami)
2014/07/09 15:44:59 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:44:55 exit
2014/07/09 15:45:02 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:45:02 ls
2014/07/09 15:45:05 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:45:04 cd /var/log/
2014/07/09 15:45:05 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:45:05 ls
2014/07/09 15:45:21 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:45:09 tailf /var/log/messages
2014/07/09 15:45:39 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:45:26 vi /tmp/history.log
2014/07/09 15:46:29 uid=1000(hujun) gid=100(users) groups=100(users),7(lp),475(vboxusers)(hujun)@[PID:(147.2.147.78)][LOGIN:2014-07-09 15:46 .] --- 07/09/14 15:46:06 exit
2014/07/09 15:46:36 uid=1000(hujun) gid=100(users) groups=100(users),7(lp),475(vboxusers)(hujun)@[PID:(147.2.147.78)][LOGIN:2014-07-09 15:46 .] --- 07/09/14 15:46:36 cd /usr/local/
2014/07/09 15:46:36 uid=1000(hujun) gid=100(users) groups=100(users),7(lp),475(vboxusers)(hujun)@[PID:(147.2.147.78)][LOGIN:2014-07-09 15:46 .] --- 07/09/14 15:46:36 ls
2014/07/09 15:47:06 uid=0(root) gid=0(root) groups=0(root)(root)@[PID:(147.2.147.40)][LOGIN:2014-07-09 15:44 .] --- 07/09/14 15:47:06 cat /etc/profile.local
相关文章推荐
- Linux下记录所有用户的操作命令,以方便后期审计
- linux下审计的部署,对用户的所有命令、登录事件
- 有关linux命令history用户实时记录审计
- 根据IP分别审计Linux远程用户历史命令
- 根据IP分别审计Linux远程用户历史命令
- linux用户管理命令(添加,删除,修改)
- Linux下用户管理的一些命令介绍
- linux su命令 切换用户
- 关于linux用户管理的一些命令
- Linux 入门常用命令 — 修改密码,改变用户
- 审计远程用户的命令
- Linux用户管理(涉及命令及配置文件)
- LINUX用户登录后精确命令记录
- linux用户管理常用命令
- Linux 查看系统当前用户命令
- linux 用户管理命令
- Linux用户管理相关命令
- LINUX入门常用命令之Linux与用户有关的命令
- Linux多用户环境下的消息通知命令
- linux用户管理常用命令