网上查了实现命令审计大概有以下几种:
查不到了,改天再补充
以下环境基于CentOS 6
1.修改history时间格式
echo 'HISTTIMEFORMAT="%F %T "' >> /etc/profile
2.命令审计,采用logger方式将信息记录到local1.notice
cat > /etc/profile.d/cmd_log.sh << 'EOF'
readonly PROMPT_COMMAND='{ cmd=$(history 1 | { read a b c d; echo "$d"; });msg=$(who am i |awk "{print $2,$5}");logger -i -p local1.notice "$msg $USER $PWD # $cmd"; }'
EOF
3.修改rsyslog,默认local1所有等级日志都将写到/var/log/messages,排除local1.none,单独记录到/var/log/cmd.log
sed -i 's@*.info.*@*.info;mail.none;authpriv.none;cron.none;local1.none /var/log/messages@' /etc/rsyslog.conf sed -i '/^local7/a local1.notice /var/log/cmd.log' /etc/rsyslog.conf /etc/init.d/rsyslog restart
4.配置/var/log/cmd.log日志轮询,没有用/etc/logrotate.d/syslog去轮替/var/log/cmd.log,因为syslog默认周期是采用/etc/logrotate.conf每周轮替一个文件,登录系统敲打的命令没有那么多,自定义一个月时间轮替一次。
cat > /etc/logrotate.d/cmd_log << 'EOF'
/var/log/cmd.log {
monthly
rotate 12
missingok
notifempty
create 600 root root
copytruncate
}
EOF
5.打开新的session连接服务器,才能加载/etc/profile和/etc/profile.d/cmd_log.sh,随意输入几个命令后查看/var/log/cmd.log。有个小问题,有时同条命令会记录多次,不知如何排查,扔着不管了。
[hujf@PT230 ~]$ sudo su - Last login: Thu Jun 8 16:54:06 CST 2017 on pts/0 [root@PT230 ~]# tail -n8 /var/log/cmd.log Jun 8 16:54:36 PT230 hujf[3178]: pts/0 (192.168.1.150) root /root # ip a Jun 8 16:54:40 PT230 hujf[3189]: pts/0 (192.168.1.150) root /root # tail -n3 /var/log/cmd.log Jun 8 16:54:42 PT230 hujf[3196]: pts/0 (192.168.1.150) root /data # cd /data Jun 8 16:54:44 PT230 hujf[3204]: pts/0 (192.168.1.150) root /data # llllll Jun 8 16:54:46 PT230 hujf[3213]: pts/0 (192.168.1.150) root /usr/local/src # cd /usr/local/src/ Jun 8 16:54:48 PT230 hujf[3221]: pts/0 (192.168.1.150) root /usr/local/src # ppppppp Jun 8 16:54:57 PT230 hujf[3276]: pts/0 (192.168.1.150) hujf /home/hujf # sudo su - Jun 8 16:54:58 PT230 hujf[3320]: pts/0 (192.168.1.150) root /root # ppppppp