Logs of all Linux user logon operations are recorded by logging on to the IP address

For Linux user operation records, the command history is generally used to view historical records. However, if important data is deleted due to misoperations, The history Command will not be useful. So how should we implement the historical operation records? In fact, we can log on to the IP address to record the historical operations of all user logon operations! The specific operation is to configure the configuration in/etc/profile.

For Linux user operation records, the command history is generally used to view historical records. However, if important data is deleted due to misoperations, The history Command will not be useful. So how should we implement the historical operation records?

In fact, we can log on to the IP address to record the historical operations of all user logon operations! The specific operation is to add the following script code at the end of the/etc/profile configuration file:

[Root @ server ~] # Cat>/etc/profile <EOF > > History > > USER = 'whoam' > > USER_IP = 'who-u am I 2>/dev/null | awk '{print $ NF}' | sed-e's/[()] // g'' > > If ["$ USER_IP" = ""]; then > USER_IP = 'hostname' > Fi > > If [! -D/tmp/history]; then > Mkdir/tmp/history > Chmod 777/tmp/history > Fi > > If [! -D/tmp/history/$ {LOGNAME}]; then > Mkdir/tmp/history/$ {LOGNAME} > Chmod 300/tmp/history/$ {LOGNAME} > Fi > > Export HISTSIZE = 4096 > > DT = 'date + "% Y-% m-% d _ % H: % M: % S "' > > Export HISTFILE = "/tmp/history/$ {LOGNAME}/$ {USER }@$ {USER_IP} _ history. $ DT" > > Chmod 600/tmp/history/$ {LOGNAME}/* history * 2>/dev/null > > EOF [Root @ server ~] # Source/etc/profile [Root @ server ~] # Logout # Log out of the system and log on again. The logs are recorded in the/tmp/history/directory.

The above script code shows that a new history Directory (which can be customized) is created under/tmp of the system ), all users and IP addresses that have logged on to the system are recorded in the directory. this is also one of the methods for monitoring system security. After a series of operations, go to the/tmp/history directory to view the history:

[Root @ server ~] # Cd/tmp [Root @ server tmp] # ll Total 24 Drwx ------ 2 root 4096 2012-10-11 gconfd-root Drwxrwxrwx 3 root 4096 2012-10-11 history Drwx ------ 2 root 4096 08-11 keyring-Ki8IOJ Srwxr-xr-x 1 root 0 2012-10-11 mapping-root Srw ------- 1 root 0 2012-10-11 scim-panel-socket: 0-root Drwx ------ 2 root 4096 ssh-jPPigl3182 Drwx ------ 2 root 4096 10-10 ssh-KDmPtr3350 [Root @ server tmp] # cd history/ [Root @ server history] # ll Total 4 D-wx ------ 2 root 4096 10-10 21:16 root [Root @ server history] # cd root/ [Root @ server root] # ll Total 4 -Rw ------- 1 root 37 10-10 root@192.168.1.96_history.2012-10-10_21: 16: 42