Logs of all Linux user logon operations are recorded by logging on to the IP address
Source: Internet
Author: User
Log on to the IP address to record the logs of all Linux user logon operations. for Linux user operation records, the command history is generally used to view the historical records, however, if important data is deleted due to misoperations, The history Command will not be useful. So there will still be history...
Log on to the IP address to record the logs of all Linux user logon operations. for Linux user operation records, the command history is generally used to view the historical records. However, if the records are deleted due to misoperations
In the case of important data, the history command will not be useful. What should we do if we still have Historical operation records?
? In fact, we can log on to www.2cto.com by logging on to the IP address to record the historical operations of all user logon operations! The specific operation is in the/etc/profile
Add the following script code to the end of the configuration file: [root @ server ~] # Cat>/etc/profile <EOF> history> USER = 'whoam'> USER_IP = 'who-u am I 2>/dev/null | awk' {print $ NF} '| sed-e's/[()] // g''> if ["$ USER_IP" = ""]; then> USER_IP = 'hostname'> fi> if [! -D/tmp/history]; then> mkdir/tmp/history> chmod 777/tmp/history> fi> if [! -D/tmp/history/$ {LOGNAME}]; then> mkdir/tmp/history/$ {LOGNAME}> chmod 300/tmp/history/$ {LOGNAME}> fi> export HISTSIZE = 4096> DT = 'date +" % Y-% m-% d _ % H: % M: % S "'> export HISTFILE ="/tmp/history/$ {LOGNAME}/$ {USER }@$ {USER_IP} _ history. $ DT "> chmod 600/tmp/history/$ {LOGNAME}/* history * 2>/dev/null> EOF [root @ server ~] # Source/etc/profile [root @ server ~] # Logout # log out of the system and log on again. The logs are recorded in the/tmp/history/directory.
The above script code shows that a new history Directory (which can be customized) is created under/tmp of the system ), all users and IP addresses that have logged on to the system are recorded in the directory. this is also one of the methods for monitoring system security. After a series of operations, go to the/tmp/history directory to view the historical records: www.2cto.com [root @ server ~] # Cd/tmp [root @ server tmp] # ll total 24drwx ------ 2 root 4096 2012-10-11 gconfd-rootdrwxrwxrwx 3 root 4096 2012-10-11 historydrwx ------ 2 root 4096 08-11 0keyring-Ki8IOJsrwxr-xr-x 1 root 0 2012-10-11 mapping-rootsrw ------- 1 root 0 2012-10-11 scim-panel-socket: 0-rootdrwx ------ 2 root 4096 2012-10-11 ssh-jPPigl3182drwx ------ 2 root 4096 10-10 ssh-KDmPtr3350 [root @ server tmp] # cd history/[root @ server history] # ll total 4d-wx ------ 2 root 4096 10-10 root [root @ server history] # cd root/[root @ server root] # ll total 4-rw ------- 1 root 37 10-10 root@192.168.1.96_history.2012-10-10_21: 16: 42
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
