Linux logs a detailed log of all user logins and actions

1, causes

Recently some files on the Linux server were tampered with, want to trace the records have not been found, so you have to think of a way to record all the user's Operation records.

Generally, we usually use history to record, but there is a flaw in the historical is the default is 1000 rows, of course, you can also vim/etc/profile 1000 to 1000000 lines, but this is a relatively general practice, No detailed user sources have been recorded, such as source IP address, operation time, operation user, etc.

So we have to write our own code to implement such a function.

2, automatic recording of scripts

Write the following script:

History User= ' WhoAmI ' user_ip= ' who-u am I 2>/dev/null| awk ' {print $NF} ' |sed-e ' s/[()]//g " If ["$USER _ip" = ""]; Then User_ip= ' hostname ' Fi if [!-d/var/log/history]; Then Mkdir/var/log/history chmod 777/var/log/history Fi if [!-d/var/log/history/${logname}]; Then Mkdir/var/log/history/${logname} chmod 300/var/log/history/${logname} Fi Export histsize=4096 dt= ' date + '%y%m%d_%h:%m:%s ' Export histfile= "/var/log/history/${logname}/${user}@${user_ip}_$dt" chmod 600/var/log/history/${logname}/*history* 2>/dev/null

This script needs to be placed at the end of the/etc/profile file. Here the default is that the root directory of the log file is:/var/log/history, this directory needs to be initialized, and then through "exporthistfile="/var/log/history/${logname}/${user}@${user _ip}_$dt "

"You can see that the log path is/var/log/history/${logname}, so this directory also needs to be established beforehand, how many users, the number of directories to build, and the use of the directory to assign the user to the corresponding users."

And each time the user logs on to the exit will be generated by the user name, login IP address, operation time as a file name, the file contains all the user's action records.

3, creating an initialization directory

First go to/home to see how many users

[Email protected]_test_static1_11_35 history]# LL Total 28 Drwxr-xr-x 2 adminuser adminuser 4096 Nov 21:53 Adminuser Drwxr-xr-x 2 Fastdfs fastdfs 4096 Nov 21:53 Fastdfs Drwxr-xr-x 2 loguser loguser 4096 Nov 19:43 LogUser Drwxr-xr-x 2 nginx nginx 4096 20:54 Nginx D-WX------2 root root 4096 Nov 21:53 root Drwxr-xr-x 2 tomcat tomcat 4096 Nov 19:42 Tomcat Drwxr-xr-x 2 Zabbix Zabbix 4096 Nov 19:42 Zabbix [[Email protected]_test_static1_11_35 history]#

Then start building the initialization directory

[Email protected]_test_static1_11_35 log]# Mkdir/var/log/history/fastdfs [Email protected]_test_static1_11_35 history]# chown Fastdfs:fastdfs fastdfs-r [Email protected]_test_static1_11_35 log]# Mkdir/var/log/history/tomcat [Email protected]_test_static1_11_35 log]# chown-r Tomcat:tomcat/var/log/history/tomcat [Email protected]_test_static1_11_35 log]# Mkdir/var/log/history/zabbix [Email protected]_test_static1_11_35 log]# chown-r Zabbix:zabbix/var/log/history/zabbix [Email protected]_test_static1_11_35 log]# Mkdir/var/log/history/loguser [Email protected]_test_static1_11_35 log]# chown-r Loguser:loguser/var/log/history/loguser [Email protected]_test_static1_11_35 log]# Mkdir/var/log/history/adminuser [Email protected]_test_static1_11_35 log]# chown-r Adminuser:adminuser/var/log/history/adminuser

4, user Login verification

Use one of the user Fastdfs logon process actions

[Email protected]_test_static1_11_35 ~]$ sudo-i [sudo] password for adminuser: [Email protected]_test_static1_11_35 ~]# Su-fastdfs [Email protected]_test_static1_11_35 ~]$ CP Test1.log Test3.log [Email protected]_test_static1_11_35 ~]$ echo "Test 1" > Test3.log [[Email protected]_test_static1_11_35 ~]$ echo ' 1 ' >> test3.log [[Email protected]_test_static1_11_35 ~]$ echo ' 2 ' >> test3.log [[Email Protected]_test_static1_11_35 ~]$ echo ' 3 ' >> test3.log [Email protected]_test_static1_11_35 ~]$ more Test3.log Test 1 1 2 3 [[Email protected]_test_static1_11_35 ~]$

Then quit the user, log back in to log directory/var/log/history/fastdfs/to see the latest records, once the user logs on to the exit will be saved as a log file record:

# Go to log directory [Email protected]_test_static1_11_35 fastdfs]# cd/var/log/history/fastdfs/ # view 2 operation Log Records [Email protected]_test_static1_11_35 fastdfs]# LL Total 8 -RW-------1 Fastdfs fastdfs 21:53 [email protected]_20161117_21:53:16 -RW-------1 Fastdfs fastdfs 139 Nov 21:59 [email protected]_20161117_21:56:47 # Open the current operation logging [Email protected]_test_static1_11_35 fastdfs]# more [email protected]_20161117_21:56:47 CP Test1.log Test3.log echo "Test 1" > Test3.log echo "1" >> Test3.log echo "2" >> Test3.log echo "3" >> Test3.log More Test3.log Exit [[Email protected]_test_static1_11_35 fastdfs]#

PS: You can see that the recorded logs are consistent with our actual operations. Prove that the function we want is fulfilled.

Reference article: http://www.heminjie.com/system/linux/412.html

Linux logs a detailed log of all user logins and actions