轉載https://blog.csdn.net/qq_27786919/article/details/91353351
1.創建用戶審計文件存放目錄和審計日志文件 ;
mkdir -p /var/log/usermonitor/
2.創建用戶審計日志文件;
echo usermonitor >/var/log/usermonitor/usermonitor.log
3.將日志文件所有者賦予一個最低權限的用戶;
chown nobody:nobody /var/log/usermonitor/usermonitor.log
4.給該日志文件賦予所有人的寫權限;
chmod 002 /var/log/usermonitor/usermonitor.log
5.設置文件權限,使所有用戶對該文件只有追加權限 ;
chattr +a /var/log/usermonitor/usermonitor.log
6.編輯/etc/profile文件,添加如下任意腳本命令;
代碼1:
export HISTORY_FILE=/var/log/usermonitor/usermonitor.log
export PROMPT_COMMAND='{ date "+%y-%m-%d %T ##### $(who am i |awk "{print \$1\" \"\$2\" \"\$5}") #### $(id|awk "{print \$1}") #### $(history 1 | { read x cmd; echo "$cmd"; })"; } >>$HISTORY_FILE'
代碼2:
HISTTIMEFORMAT="%Y%m%d-%H%M%S: "
export HISTTIMEFORMAT
export HISTORY_FILE=/var/log/usermonitor/usermonitor.log
export PROMPT_COMMAND='{ command=$(history 1 | { read x y; echo $y; }); logger -p local1.notice -t bash -i "user=$USER,ppid=$PPID,from=$SSH_CLIENT,pwd=$PWD,command:$command"; } >>$HISTORY_FILE'
代碼3:
export HISTORY_FILE=/var/log/usermonitor/usermonitor.log
PROMPT_COMMAND='{ date "+%Y-%m-%d %T ##### USER:$USER IP:$SSH_CLIENT PS:$SSH_TTY ppid=$PPID pwd=$PWD #### $(history 1 | { read x cmd; echo "$cmd"; })";} >>$HISTORY_FILE'
7.使配置生效
source /etc/profile
8、查看日志
cat /var/log/usermonitor/usermonitor.log