Linux系统命令审计 原
命令审计
1、 创建审计日志文件存放目录:
[root@Centos-1 ~]# mkdir -p /tmp/logs/host_log2、 更改目录权限使其可写、防删除:
[root@Centos-1 ~]# chmod 777 /tmp/logs/host_log
[root@Centos-1 ~]# chmod +t /tmp/logs/host_log3、 编辑/etc/profile,在文件最后增加如下:
[root@Centos-1 ~]# vim /etc/profile
#命令审计
if [ ! -d /tmp/logs/host_log/${LOGNAME} ]
then
mkdir -p /tmp/logs/host_log/${LOGNAME}
chattr +a #时该文件内容只可追加 /tmp/logs/host_log/${LOGNAME}
fi
export HISTORY_FILE="/tmp/logs/host_log/${LOGNAME}/commond_history.log"
export PROMPT_COMMAND='{ date "+%Y-%m-%d %T ##### $(who am i |awk "{print \$1\" \"\$2\" \"\$5}") #### $(history 1 | { read x cmd; echo "$cmd"; })"; } >>$HISTORY_FILE'4、 查看效果:
[root@Centos-1 ~]# ls /tmp/logs/host_log/
root
[root@Centos-1 ~]# ls /tmp/logs/host_log/root/
commond_history.log
[root@Centos-1 ~]# cat /tmp/logs/host_log/root/commond_history.log
2017-09-27 13:14:22 ##### root pts/1 (192.168.15.253) #### ipvsadm -e -t 192.168.14.13:80 -r 192.168.14.127 -w 0
2017-09-27 13:14:27 ##### root pts/1 (192.168.15.253) #### ls
2017-09-27 13:14:56 ##### root pts/1 (192.168.15.253) #### w
2017-09-27 13:15:31 ##### root pts/1 (192.168.15.253) #### pwd
2017-09-27 13:15:35 ##### root pts/1 (192.168.15.253) #### ls
[root@Centos-1 ~]# rm -f /tmp/logs/host_log/root/commond_history.log
rm: 无法删除"/tmp/logs/host_log/root/commond_history.log": 不允许的操作(adsbygoogle = window.adsbygoogle || []).push({});
本文参与 腾讯云自媒体分享计划,分享自作者个人站点/博客。
原始发表:2017/09/27 ,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录