First, compile bash to implement the syslog logging function of Bash 1. This paper will realize the function of history record to syslog log through bash software, and it can be transferred to the remote log centralized server in real-time, which can realize the audit function of operation logs.
Operating system version: CentOS 6.5 x64
2. Install 6.5 corresponding bash source package
# wget http://vault.centos.org/6.5/os/Source/SPackages/bash-4.1.2-15.el6.src.rpm
# rpm-i bash-4.1.2-15.el6_4.src.rpm
#安装报警告可以忽略.
Warning:bash-4.1.2-15.el6_4.src.rpm:header V3 rsa/sha1 Signature, key ID C105b9de:nokey
Warning:user Mockbuild does not exist-using root
Warning:group Mockbuild does not exist-using root
Warning:user Mockbuild does not exist-using root
Warning:group Mockbuild does not exist-using root
Warning:user Mockbuild does not exist-using root
Warning:group Mockbuild does not exist-using root
Warning:user Mockbuild does not exist-using root
Warning:group Mockbuild does not exist-using root
Warning:user Mockbuild does not exist-using root
...
Warning:group Mockbuild does not exist-using root
Warning:user Mockbuild does not exist-using root
Warning:group Mockbuild does not exist-using root
Warning:user Mockbuild does not exist-using root
Warning:group Mockbuild does not exist-using root
Warning:user Mockbuild does not exist-using root
[Email protected] soft]#
When the installation is complete, the following directory structure is created under the current user home directory.
[Email protected] ~]# pwd
/root
# ls
Anaconda-ks.cfg bash-4.1.2-15.el6_4.src.rpm install.log install.log.syslog rpmbuild public template video picture document download music Desktop
[Email protected] ~]# tree rpmbuild/
rpmbuild/
├──sources
│├──bash-2.02-security.patch
│├──bash-2.03-paths.patch
│├──bash-2.03-profile.patch
│├──bash-2.05a-interpreter.patch
│├──bash-2.05b-debuginfo.patch
│├──bash-2.05b-manso.patch
│├──bash-2.05b-pgrp_sync.patch
│├──bash-2.05b-readline-oom.patch
│├──bash-2.05b-xcc.patch
│├──bash-3.2-audit.patch
│├──bash-3.2-ssh_source_bash.patch
│├──bash-4.0-nobits.patch
│├──bash41-001
│├──bash41-002
│├──bash-4.1-bind_int_variable.patch
│├──bash-4.1-broken_pipe.patch
│├──bash-4.1-defer-sigchld-trap.patch
│├──bash-4.1-examples.patch
│├──bash-4.1-logout.patch
│├──bash-4.1-manpage.patch
│├──bash-4.1-manpage_trap.patch
│├──bash-4.1-signal.patch
│├──bash-4.1.tar.gz
│├──bash-4.1-trap.patch
│├──bash-bashbug.patch
│├──bash-infotags.patch
│├──bash-requires.patch
│├──bash-setlocale.patch
│├──bash-tty-tests.patch
│├──dot-bash_logout
│├──dot-bash_profile
│└──dot-bashrc
└──specs
└──bash.spec
2 directories, files
2. Enter the directory to resolve the bash-4.1 source package directory
[Email protected] ~]# cd/root/rpmbuild/sources/
[Email protected] sources]# tar zxvf bash-4.1.tar.gz
[Email protected] sources]# cp-a bash-4.1 Bash-4.1-orig
[Email protected] sources]#
[Email protected] sources]# CD bash-4.1
[Email protected] bash-4.1]#
3. Modify the code snippet one
# Vim Config-top.h
#取消104行的注释 and modify the following code to the following, which, by default, is logged in the/var/log/message file, which is adjusted to Local1.debug in the specified file.
/* #define SYSLOG_HISTORY */
#if defined (syslog_history)
# define Syslog_facility Log_local1
# define Syslog_level Log_debug
#endif
4. Modifying code Snippets Two
# Vim Bashhist.c
#找到701行开始的程序段
701 void
702 Bash_syslog_history (line)
703 const char *line;
704 {
705 Char Trunc[syslog_maxlen];
706
707 if (strlen (line) < Syslog_maxlen)
708 Syslog (syslog_facility| Syslog_level, "history:pid=%d uid=%d%s", Getpid (), current_user.uid, line);
709 Else
710 {
711 strncpy (Trunc, line, Syslog_maxlen);
712 Trunc[syslog_maxlen-1] = ' + ';
713 Syslog (syslog_facility| Syslog_level, "History (truncated): pid=%d uid=%d%s", Getpid (), Current_user.uid, trunc);
714}
715}
716 #endif
Modify the following to read:
void
Bash_syslog_history (line)
const char *line;
{
Char Trunc[syslog_maxlen];
if (strlen (line) < Syslog_maxlen)
Syslog (syslog_facility| Syslog_level, "history:ppid=%d pid=%d sid=%d uid=%d user=%s%s", Getppid (), Getpid (), GetSID (Getpid ()), Current_user.uid , Current_user.user_name, line);
Else
{
strncpy (trunc, line, Syslog_maxlen);
Trunc[syslog_maxlen-1] = ' + ';
Syslog (syslog_facility| Syslog_level, "History (truncated): ppid=%d pid=%d sid=%d uid=%d user=%s%s", Getppid (), Getpid (), GetSID (Getpid ()), Curre Nt_user.uid, current_user.user_name, trunc);
}
}
5. Compare code Changes
[Email protected] sources]# Diff-npru bash-4.1-orig bash-4.1 > Bash_history_syslog.patch
# CD ~/rpmbuild/specs/
# Vim Bash.spec
#加入两行内容, save the exit by following the format below.
Patch119:bash_history_syslog.patch
...
%patch119-p1-b. History_syslog
...
6. Start compiling
[Email protected] specs]# Rpmbuild-ba Bash.spec
error:failed Build Dependencies:
Texinfo is needed by bash-4.1.2-15.el6.x86_64
Open a second window to install the Texinfo package.
[Email protected] specs]# Rpmbuild-ba Bash.spec
[Email protected] specs]# CD ~/rpmbuild/rpms/x86_64/
7. Install the bash RPM installation package
[Email protected] ~]# CD ~/rpmbuild/rpms/x86_64/
[[email protected] x86_64]# ls
bash-4.1.2-15.el6.x86_64.rpm bash-debuginfo-4.1.2-15.el6.x86_64.rpm bash-doc-4.1.2-15.el6.x86_64.rpm
[Email protected] x86_64]#
[Email protected] x86_64]# RPM-UVH--force bash-4.1.2-15.el6.x86_64.rpm
Preparing ... ########################################### [100%]
1:bash ########################################### [100%]
[Email protected] x86_64]#
8. Configuring the Rsyslog Log service
[Email protected] x86_64]# vi/etc/rsyslog.conf
#加入如下内容:
Local1.debug/var/log/bash
[Email protected] x86_64]# service Rsyslog restart
Turn off the system logger: [OK]
Start the system logger: [OK]
9. View the log records, successfully store the user action log, stored separately from the history log, and only root permissions can manipulate the log file, if the log server is configured, the operation log will be delivered to the remote server.
[Email protected] ~]# tail-f/var/log/bash
APR 00:47:11 localhost bash:history:ppid=2471 pid=2473 sid=2473 uid=0 user=root ifconfig
APR 00:47:12 localhost bash:history:ppid=2471 pid=2473 sid=2473 uid=0 user=root ls
APR 00:47:13 localhost bash:history:ppid=2471 pid=2473 sid=2473 uid=0 user=root df-h
APR 00:47:15 localhost bash:history:ppid=2471 pid=2473 sid=2473 uid=0 user=root History
APR 00:47:24 localhost bash:history:ppid=2471 pid=2473 sid=2473 uid=0 user=root Cat/var/log/bash
APR 01:19:47 localhost bash:history:ppid=26139 pid=26141 sid=26141 uid=0 user=root Cat/var/log/bash
APR 01:19:57 localhost bash:history:ppid=26139 pid=26141 sid=26141 uid=0 user=root ifconfig
APR 01:21:07 localhost-bash:history:ppid=26157 pid=26159 sid=26159 uid=0 user=root ifconfig
APR 01:21:17 localhost-bash:history:ppid=26157 pid=26159 sid=26159 uid=0 user=root W
APR 01:21:20 localhost-bash:history:ppid=26157 pid=26159 sid=26159 uid=0 user=root df-h
APR 01:21:33 localhost-bash:history:ppid=26157 pid=26159 sid=26159 uid=0 user=root useradd ABC
APR 01:21:38 localhost-bash:history:ppid=26157 pid=26159 sid=26159 uid=0 user=root passwd ABC
APR 01:21:42 localhost-bash:history:ppid=26157 pid=26159 sid=26159 uid=0 user=root su-abc
APR 01:21:44 localhost-bash:history:ppid=26192 pid=26193 sid=26159 uid=500 USER=ABC exit
Second, Rsyslog log server configuration
Temporary, to be added later.
This article is from the "Koumm Linux Technology blog" blog, be sure to keep this source http://koumm.blog.51cto.com/703525/1763145
Compiling bash to implement syslog logging for history