Linux系统下的用户审计方法原创
通过利用环境变量PROMPT_COMMAND,可以做到将所有用户执行命令的记录,集中记录在一个日志文件。
# json
添加下面内容到~/.bashrc
HISTDIR='/var/log/operation'
if [ ! -d $HISTDIR ]
then
mkdir -p $HISTDIR
chmod -R 777 $HISTDIR
fi
export HISTTIMEFORMAT="{\"time\":\"%FT%T\",\"ip\":\"$(who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g')\",\"Luser\":\"$(who am i|awk '{print $1}')\",\"Ouser\":\"$(whoami)\",\"cmd\":\""
# export PROMPT_COMMAND='history 1|tail -1|sed "s/^[ ]\+[0-9]\+ //"|sed "s/$/\"}/">> $HISTDIR/operation-`date '+%Y-%m-%d'`.log' 这样写会导致空行会重复记录上一个记录
export PROMPT_COMMAND="HistID0=\$(history 1|awk '{print \$1}'); \
lastcommand=\$(history 1|awk '{\$1=\"\" ;print}');\
login_pid=\$(who -u am i | awk '{print \$(NF-1)}')
login_ip=\$(who -u am i | awk -F '\\\(|\\\)' '{print \$2}'); \
if [ \${HistID0}x != \${HistID1}x ];then \
history 1|tail -1|sed 's/^[ ]\+[0-9]\+ //'|sed 's/$/\"}/'>> $HISTDIR/operation-`date '+%Y-%m-%d'`.log; \
HistID1=\${HistID0}; \
fi;"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
source ~/.bashrc
# txt
vi /etc/profile.d/prompt-command.sh
if [ ! -d /var/log/operation ]
then
mkdir -p /var/log/operation
chmod -R 777 /var/log/operation
fi
export PROMPT_COMMAND="HistID0=\$(history 1|awk '{print \$1}'); \
lastcommand=\$(history 1|awk '{\$1=\"\" ;print}');\
login_pid=\$(who -u am i | awk '{print \$(NF-1)}')
login_ip=\$(who -u am i | awk -F '\\\(|\\\)' '{print \$2}'); \
if [ \${HistID0}x != \${HistID1}x ];then \
echo -E [\$(date \"+%Y/%m/%d %H:%M:%S\")] [sshpid:\${login_pid}] [fromip:\${login_ip}] [\$(id -un)@\$(hostname) \$(pwd)] \${lastcommand} >> /var/log/operation/operation-`date '+%Y-%m-%d'`.log; \
HistID1=\${HistID0}; \
fi;"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
2
3
4
5
6
7
8
9
10
11
12
13
14
上次更新: 2022/10/09, 17:42:01