vi /etc/profile.d/history.sh
# history
USER=`whoami`
USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'`
if [ "$USER_IP" = "" ]; then
USER_IP=`hostname`
fi
if [ ! -d /var/log/history ]; then
mkdir /var/log/history
chmod 777 /var/log/history
fi
if [ ! -d /var/log/history/${LOGNAME} ]; then
mkdir /var/log/history/${USER}
chmod 300 /var/log/history/${LOGNAME}
fi
export HISTSIZE=4096
DT=`date +"%Y%m%d_%H:%M:%S"`
export HISTFILE="/var/log/history/${USER}/${USER}@${USER_IP}_$DT"
chmod 600 /var/log/history/${LOGNAME}/*history* 2>/dev/null
zhrun: 然后 source /etc/profile,用户退出后会在 /var/log/history/username/ 下生成日志,记录用户的所有操作 注意:设置各用户操作记录后,history命令只能显示本session中的操作,不利于查找命令
echo export TMOUT=600 >> /etc/profile source /etc/profile echo $TMOUT
cp /etc/ssh/sshd_config /etc/ssh/sshd_config_bak echo ClientAliveInterval=60 >> /etc/ssh/sshd_config service sshd restart cat /etc/ssh/sshd_config 则客户端60秒无操作会断开
增加以下设置记录所有用户登录和操作 -a exit,always -F arch=b64 -S execve -kexec -a exit,always -F arch=b32 -S execve -kexec 2.service auditd restart 3.验证 添加后使用ausearch -k exec来列出用户操作的记录。
zhrun:
centos6 :/etc/audit/audit.rules centos7:/etc/audit/rules.d/audit.rules
-w /etc/crontab -p wa -k crontab -w /etc/hosts -p wa -k hosts -w /etc/hosts.allow -p wa -k hosts-allow -w /etc/hosts.deny -p wa -k hosts-deny -w /etc/fstab -p wa -k fstab -w /etc/passwd -p wa -k passwd -w /etc/shadow -p wa -k shadow -w /etc/group -p wa -k group -w /etc/gshadow -p wa -k gshadow -w /etc/ntp.conf -p wa -k ntp (RHEL7为-w /etc/chrony.conf-p wa -k ntp) -w /etc/sysctl.conf -p wa -k sysctl -w /etc/security/limits.conf -p wa -klimits -w /boot/grub/grub.conf -p wa -k grub (RHEL7为-w/boot/grub2/grub.cfg -p wa -k grub) -w /etc/ssh/sshd_config -p wa -k ssh -w /etc/udev/rules.d/ -p wa -k udev -w /etc/profile -p wa -k profile -w /etc/kdump.conf -p wa -k kdump -w /etc/lvm/lvm.conf -p wa -k lvm -w /etc/login.defs -p wa -k login-defs -w /etc/rsyslog.conf -p wa -k rsyslog (RHEL5为-w/etc/syslog.conf -p wa -k rsyslog) -w /etc/sysconfig/i18n -p wa -k i18n (RHEL7为-w /etc/locale.conf-p wa -k i18n) -w /etc/sysconfig/network -p wa -k network -w /etc/multipath.conf -p wa -k multipath
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。