linux 记录所有用户操作行为包括访问ip

Posted 2022-11-05 热心市民刘先生♛

vi init_histroy.sh

sudo mkdir -p /var/log/usermonitor/
sudo echo usermonitor >/var/log/usermonitor/usermonitor.log
sudo chown nobody:nobody /var/log/usermonitor/usermonitor.log
sudo chmod 002 /var/log/usermonitor/usermonitor.log
sudo chattr +a /var/log/usermonitor/usermonitor.log

echo "" >> /etc/profile
echo "export HISTORY_FILE=/var/log/usermonitor/usermonitor.log" >> /etc/profile
echo export PROMPT_COMMAND=' date "+%y-%m-%d %T ##### $(who am i |awk "print \\$1\\" \\"\\$2\\" \\"\\$5")  #### $(id|awk "print \\$1") #### $(history 1 |  read x cmd; echo "$cmd"; )";  >>$HISTORY_FILE' >> /etc/profile
source /etc/profile
cat /var/log/usermonitor/usermonitor.log

1.创建用户审计文件存放目录和审计日志文件 ；
mkdir -p /var/log/usermonitor/

2.创建用户审计日志文件；
echo usermonitor >/var/log/usermonitor/usermonitor.log

3.将日志文件所有者赋予一个最低权限的用户；
chown nobody:nobody /var/log/usermonitor/usermonitor.log

4.给该日志文件赋予所有人的写权限；
chmod 002 /var/log/usermonitor/usermonitor.log

5.设置文件权限,使所有用户对该文件只有追加权限 ；
chattr +a /var/log/usermonitor/usermonitor.log

6.编辑/etc/profile文件，添加如下任意脚本命令；

代码1：

export HISTORY_FILE=/var/log/usermonitor/usermonitor.log
export PROMPT_COMMAND=' date "+%y-%m-%d %T ##### $(who am i |awk "print \\$1\\" \\"\\$2\\" \\"\\$5")  #### $(id|awk "print \\$1") #### $(history 1 |  read x cmd; echo "$cmd"; )";  >>$HISTORY_FILE'

代码2：

HISTTIMEFORMAT="%Y%m%d-%H%M%S: "
export HISTTIMEFORMAT
export HISTORY_FILE=/var/log/usermonitor/usermonitor.log
export PROMPT_COMMAND=' command=$(history 1 |  read x y; echo $y; ); logger -p local1.notice -t bash -i "user=$USER,ppid=$PPID,from=$SSH_CLIENT,pwd=$PWD,command:$command";  >>$HISTORY_FILE'

代码3：

export HISTORY_FILE=/var/log/usermonitor/usermonitor.log
PROMPT_COMMAND=' date "+%Y-%m-%d %T ##### USER:$USER IP:$SSH_CLIENT PS:$SSH_TTY ppid=$PPID pwd=$PWD  #### $(history 1 |  read x cmd; echo "$cmd"; )"; >>$HISTORY_FILE'

7.使配置生效
source /etc/profile

8、查看日志

cat /var/log/usermonitor/usermonitor.log