Linux系统命令审计原

命令审计

1、创建审计日志文件存放目录：

[root@Centos-1 ~]# mkdir -p /tmp/logs/host_log

2、更改目录权限使其可写、防删除：

[root@Centos-1 ~]# chmod 777 /tmp/logs/host_log

[root@Centos-1 ~]# chmod +t /tmp/logs/host_log

3、编辑/etc/profile，在文件最后增加如下：

[root@Centos-1 ~]# vim /etc/profile
#命令审计
if [ ! -d  /tmp/logs/host_log/${LOGNAME} ]
then
    mkdir -p /tmp/logs/host_log/${LOGNAME}
    chattr +a    #时该文件内容只可追加 /tmp/logs/host_log/${LOGNAME}
fi

export HISTORY_FILE="/tmp/logs/host_log/${LOGNAME}/commond_history.log"

export PROMPT_COMMAND='{ date "+%Y-%m-%d %T ##### $(who am i |awk "{print $1" "$2" "$5}") #### $(history 1 | { read x cmd; echo "$cmd"; })"; } >>$HISTORY_FILE'

4、查看效果：

[root@Centos-1 ~]# ls /tmp/logs/host_log/
root
[root@Centos-1 ~]# ls /tmp/logs/host_log/root/
commond_history.log
[root@Centos-1 ~]# cat /tmp/logs/host_log/root/commond_history.log
2017-09-27 13:14:22 ##### root pts/1 (192.168.15.253) #### ipvsadm -e -t 192.168.14.13:80 -r 192.168.14.127 -w 0
2017-09-27 13:14:27 ##### root pts/1 (192.168.15.253) #### ls
2017-09-27 13:14:56 ##### root pts/1 (192.168.15.253) #### w
2017-09-27 13:15:31 ##### root pts/1 (192.168.15.253) #### pwd
2017-09-27 13:15:35 ##### root pts/1 (192.168.15.253) #### ls

[root@Centos-1 ~]# rm -f /tmp/logs/host_log/root/commond_history.log
rm: 无法删除"/tmp/logs/host_log/root/commond_history.log": 不允许的操作

(adsbygoogle = window.adsbygoogle || []).push({});

Linux系统命令审计 原

命令审计

Linux系统命令审计原