注:參考http://www.tuicool.com/articles/ia67Bj
在ubuntu下如何查看相關用戶登錄歷史,用戶操作歷史,進行系統的日志跟蹤和分析,以便發現系統登錄問題,進行安全策略防護呢?
作為一個玩Linux的,你需要了如執掌,坐擁ROOT賬號,運籌帷幄千里之外!
ubuntu下的一些命令提供了很好的管理手段方法,較好地滿足這些需求。
- 使用who命令查看當前用戶登錄狀況
root@chaosju-ThinkPad-SL410:/home/chaosju# who chaosju :0 2015-05-21 12:50 (:0) chaosju pts/1 2015-05-21 12:54 (:0)
- 使用last命令查看最近登錄情況。
如下所示,last命令列出最近一段時間的用戶登錄時間及ip記錄。(單獨執行last指令,它會讀取位於/var/log目錄下,名稱為wtmp的文件,並把該給文件的內容記錄的登入系統的用戶名單全部顯示出來)
root@chaosju-ThinkPad-SL410:/home/chaosju# last chaosju pts/1 :0 Thu May 21 12:54 still logged in chaosju :0 :0 Thu May 21 12:50 still logged in reboot system boot 3.13.0-32-generi Thu May 21 12:49 - 13:18 (00:28) chaosju pts/27 :0 Wed May 20 23:46 - down (00:16) chaosju tty1 Wed May 20 23:38 - down (00:25) zx pts/27 10.210.96.78 Wed May 20 23:18 - 23:26 (00:08) chaosju pts/29 10.210.96.78 Wed May 20 23:17 - 23:17 (00:00) chaosju pts/27 10.210.96.78 Wed May 20 23:15 - 23:17 (00:02) chaosju pts/28 :0 Wed May 20 23:08 - down (00:54) chaosju pts/27 10.210.96.78 Wed May 20 22:59 - 23:13 (00:14)
- 使用lastlog命令查看各個用戶登錄情況
root@chaosju-ThinkPad-SL410:/home/chaosju# lastlog 用戶名 端口 來自 最后登陸時間 root **從未登錄過** daemon **從未登錄過** bin **從未登錄過** sys **從未登錄過** sync **從未登錄過** games **從未登錄過** man **從未登錄過** lp **從未登錄過** mail **從未登錄過** news **從未登錄過** uucp **從未登錄過**
lastlog命令列出了各個用戶的登錄情況,如果沒有登錄過,則顯示Never logged in,如果有登錄歷史,則顯示出ip及登錄時間。
- 查看/var/log/auth.log文件,分析用戶登錄及行為。
root@chaosju-ThinkPad-SL410:/home/chaosju# cat /var/log/auth.log |more
1 May 19 10:17:01 chaosju-ThinkPad-SL410 CRON[13161]: pam_unix(cron:session): session opened for user root by (uid=0) 2 May 19 10:17:01 chaosju-ThinkPad-SL410 CRON[13161]: pam_unix(cron:session): session closed for user root 3 May 19 10:22:59 chaosju-ThinkPad-SL410 pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=1000) 4 May 19 10:22:59 chaosju-ThinkPad-SL410 pkexec[14880]: chaosju: Executing command [USER=root] [TTY=unknown] [CWD=/home/chaosju] [COMMAND=/usr/lib/update-notifier/package-system-locked] 5 May 19 11:17:01 chaosju-ThinkPad-SL410 CRON[30372]: pam_unix(cron:session): session opened for user root by (uid=0) 6 May 19 11:17:01 chaosju-ThinkPad-SL410 CRON[30372]: pam_unix(cron:session): session closed for user root 7 May 19 11:38:10 chaosju-ThinkPad-SL410 polkitd(authority=local): Unregistered Authentication Agent for unix-session:c2 (system bus name :1.64, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8) (disconnected from bus) 8 May 19 11:38:11 chaosju-ThinkPad-SL410 gnome-keyring-daemon[2263]: g_dbus_connection_real_closed: Remote peer vanished with error: Underlying GIOStream returned 0 bytes on an async read (g-io-error-quark, 0). Exiting. 9 May 19 11:38:12 chaosju-ThinkPad-SL410 lightdm: pam_unix(lightdm:session): session closed for user chaosju 10 May 19 11:38:14 chaosju-ThinkPad-SL410 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory 11 May 19 11:38:14 chaosju-ThinkPad-SL410 lightdm: PAM adding faulty module: pam_kwallet.so 12 May 19 11:38:14 chaosju-ThinkPad-SL410 lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0) 13 May 19 11:38:14 chaosju-ThinkPad-SL410 systemd-logind[483]: New session c3 of user lightdm. 14 May 19 11:38:14 chaosju-ThinkPad-SL410 systemd-logind[483]: Linked /tmp/.X11-unix/X0 to /run/user/112/X11-display. 15 May 19 11:38:15 chaosju-ThinkPad-SL410 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory 16 May 19 11:38:15 chaosju-ThinkPad-SL410 lightdm: PAM adding faulty module: pam_kwallet.so 17 May 19 11:38:15 chaosju-ThinkPad-SL410 lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "chaosju" 18 May 19 12:17:01 chaosju-ThinkPad-SL410 CRON[4366]: pam_unix(cron:session): session opened for user root by (uid=0) 19 May 19 12:17:01 chaosju-ThinkPad-SL410 CRON[4366]: pam_unix(cron:session): session closed for user root 20 May 19 13:17:01 chaosju-ThinkPad-SL410 CRON[4394]: pam_unix(cron:session): session opened for user root by (uid=0)
如上所示,通過查看auth.log,可以分析出用戶嘗試登錄情況,以及退出歷史;
- 查看 /home/{username}/.bash_history,可以查看用戶的操作記錄
root@chaosju-ThinkPad-SL410:/home/chaosju# cat /home/chaosju/.bash_history |less
sudo apt-add-repository ppa:paolorotolo/android-studio sudo apt-get update sudo apt-get install android-studio ls cd 下載 ls cd android-studio/ ls cd bin/ ls sudo ./studio.sh find / -android-studio find /-android-studio find . -android-studio dpkg -L dpkg -L android-studio /usr/share/doc/android-studio/ ls cd /usr/share/doc/android-studio/ ls dpkg -L android-studio apt-file list android-studio cd 下載 ls cd android-studio/ ls cd bin ls vim idea.properties ls gedit idea.properties~