linux利用PROMPT_COMMAND实现命令审计
Posted zibb
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了linux利用PROMPT_COMMAND实现命令审计相关的知识,希望对你有一定的参考价值。
网上查了实现命令审计大概有以下几种:
查不到了,改天再补充
以下环境基于CentOS 6
# history时间格式 sed -i ‘/^HISTSIZE/a HISTTIMEFORMAT="%F %T "‘ /etc/profile # 命令审计 cat > /etc/profile.d/cmd_log.sh << ‘EOF‘ readonly PROMPT_COMMAND=‘{ cmd=$(history 1 | { read a b c d; echo "$d"; });msg=$(who am i |awk "{print \$2,\$5}");logger -i -p local1.notice "$msg $USER $PWD # $cmd"; }‘ EOF # 修改rsyslog sed -i ‘[email protected]*\.info.*@*.info;mail.none;authpriv.none;cron.none;local1.none /var/log/[email protected]‘ /etc/rsyslog.conf sed -i ‘/^local7/a local1.notice /var/log/cmd.log‘ /etc/rsyslog.conf/etc/init.d/rsyslog restart # cmd.log日志轮询 cat > /etc/logrotate.d/cmd_log << ‘EOF‘ /var/log/cmd.log { monthly missingok rotate 12 sharedscripts postrotate /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true endscript } EOF
以上没有用/etc/logrotate.d/syslog去轮替/var/log/cmd.log,因为syslog默认周期是采用/etc/logrotate.conf每周轮替一个文件,登录系统敲打的命令没有那么多,自定义一个月时间轮替一次。
[[email protected] ~]# cat /etc/logrotate.d/syslog /var/log/cron /var/log/maillog /var/log/messages /var/log/secure /var/log/spooler { sharedscripts postrotate /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true endscript } [[email protected] ~]# head /etc/logrotate.conf # see "man logrotate" for details # rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4 # create new (empty) log files after rotating old ones create
以上是关于linux利用PROMPT_COMMAND实现命令审计的主要内容,如果未能解决你的问题,请参考以下文章
[linux运维] 利用zabbix监控linux高危命令并发送告警