Linux logs all user operations commands to facilitate post-audit

Operations and research and development staff, login server operation is becoming more and more common, in order to secure, it is necessary to log on every operation of the system, in order to facilitate later understanding, mastery, audit.

Simple workaround:

Modify The/etc/profile file and add the following at the end:

histfilesize=2000

histtimeformat= "%y%m%d-%h%m ' WhoAmI '"

Save the file, exit, enter Source/etc/profile, let the environment take effect, or exit the terminal and log in again.

view commands, enter history at the terminal to see the

650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M02/79/42/wKioL1aMz0TCBPqjAALT5VHMTE0509.jpg "title=" 11.jpg "alt=" Wkiol1amz0tcbpqjaalt5vhmte0509.jpg "/>

But there's a problem here because it's just a record of time and order, no log logged IP address, late audit is not convenient, in order to prevent the above situation, can be in the/etc/profile file, to improve, the following two commands removed, with new content to fill.

histfilesize=2000

histtimeformat= "%y%m%d-%h%m ' WhoAmI '"

The new content is:

# # Add by LGH2 at 2016-01-06

#history

Export histtimeformat= "[%y%m%d-%h%m-:%s]"

user_ip= ' who-u am I 2>/dev/null| awk ' {print$nf} ' |sed-e ' s/[()]//g '

Histdir=/var/log/.hist

If [-Z $USER _ip]

Then

User_ip= ' hostname '

Fi

if [!-D $HISTDIR]

Then

Mkdir-p$histdir

chmod 777$histdir

Fi

if [!-D $HISTDIR/${logname}]

Then

Mkdir-p $HISTDIR/${logname}

chmod 300$histdir/${logname}

Fi

Export histsize=4096

dt= ' Date +%y%m%d_%h%m%s '

Exporthistfile= "$HISTDIR/${logname}/${user_ip}.hist. $DT"

chmod $HISTDIR/${logname}/*.hist* 2>/dev/null

# # #end by LGH2

Explanation: All operation command records are stored in the/var/log/.hist/{ user }/ directory, even if the same terminal several different windows, when the window exits or closes, the user directory will produce a file, Multiple Windows produce multiple files, and finally you can see the history of the files as soon as they are viewed.

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/79/43/wKiom1aMzzzD5Hj7AABnkPQmzzs355.png "title=" 33.png "alt=" Wkiom1amzzzd5hj7aabnkpqmzzs355.png "/>

command is recorded, but from a security point of view, if he is clear, all operations are recorded, it is possible to enter the log records directory, file deletion or file modification, it is necessary to upload these files to the Log collection server in a timely manner, preferably a background real-time monitoring process, the directory under the file changes, Directly trigger the synchronization operation, the file timely synchronization to the Log collection server, the network also has all the records in real-time through the log process syslog, the log sent to the log server in real time.

Linux logs all user operations commands to facilitate post-audit