網上查了實現命令審計大概有以下幾種:
查不到了,改天再補充
以下環境基於CentOS 6
1.修改history時間格式
echo 'HISTTIMEFORMAT="%F %T "' >> /etc/profile
2.命令審計,采用logger方式將信息記錄到local1.notice
cat > /etc/profile.d/cmd_log.sh << 'EOF'
readonly PROMPT_COMMAND='{ cmd=$(history 1 | { read a b c d; echo "$d"; });msg=$(who am i |awk "{print \$2,\$5}");logger -i -p local1.notice "$msg $USER $PWD # $cmd"; }'
EOF
3.修改rsyslog,默認local1所有等級日志都將寫到/var/log/messages,排除local1.none,單獨記錄到/var/log/cmd.log
sed -i 's@*\.info.*@*.info;mail.none;authpriv.none;cron.none;local1.none /var/log/messages@' /etc/rsyslog.conf sed -i '/^local7/a local1.notice /var/log/cmd.log' /etc/rsyslog.conf /etc/init.d/rsyslog restart
4.配置/var/log/cmd.log日志輪詢,沒有用/etc/logrotate.d/syslog去輪替/var/log/cmd.log,因為syslog默認周期是采用/etc/logrotate.conf每周輪替一個文件,登錄系統敲打的命令沒有那么多,自定義一個月時間輪替一次。
cat > /etc/logrotate.d/cmd_log << 'EOF'
/var/log/cmd.log {
monthly
rotate 12
missingok
notifempty
create 600 root root
copytruncate
}
EOF
5.打開新的session連接服務器,才能加載/etc/profile和/etc/profile.d/cmd_log.sh,隨意輸入幾個命令后查看/var/log/cmd.log。有個小問題,有時同條命令會記錄多次,不知如何排查,扔着不管了。
[hujf@PT230 ~]$ sudo su - Last login: Thu Jun 8 16:54:06 CST 2017 on pts/0 [root@PT230 ~]# tail -n8 /var/log/cmd.log Jun 8 16:54:36 PT230 hujf[3178]: pts/0 (192.168.1.150) root /root # ip a Jun 8 16:54:40 PT230 hujf[3189]: pts/0 (192.168.1.150) root /root # tail -n3 /var/log/cmd.log Jun 8 16:54:42 PT230 hujf[3196]: pts/0 (192.168.1.150) root /data # cd /data Jun 8 16:54:44 PT230 hujf[3204]: pts/0 (192.168.1.150) root /data # llllll Jun 8 16:54:46 PT230 hujf[3213]: pts/0 (192.168.1.150) root /usr/local/src # cd /usr/local/src/ Jun 8 16:54:48 PT230 hujf[3221]: pts/0 (192.168.1.150) root /usr/local/src # ppppppp Jun 8 16:54:57 PT230 hujf[3276]: pts/0 (192.168.1.150) hujf /home/hujf # sudo su - Jun 8 16:54:58 PT230 hujf[3320]: pts/0 (192.168.1.150) root /root # ppppppp