Linux system monitoring: Record user operation track, who moved server

1. Preface

We are in the actual work, have encountered the wrong operation, mistakenly deleted, mistakenly modified configuration files and so on events. For a company without a fortress machine, it is very difficult to find out who has done the configuration file modification and mistakenly delete in Linux system, especially in the case of deleting the library and running. Of course you can check the history of the command record, and if you smear it out, is there nothing to see if you want to see who edited a file through Vim at a certain time period?

So, what is the way to see these operations, the answer is certain, specifically how to achieve, the Linux script command is so powerful to meet our needs, script can record terminal session, As long as the system is more than linux6.3, will bring the script command, below I use the CentOS 7 system to test.

2. Configuration

2.1 Verifying the script command (which I have here)

[email protected] ~]# which script/usr/bin/script

2.2 Configure the profile file and add the following at the end:

[Email protected] ~]# Vim/etc/profileif [$UID-ge 0]; Then exec/usr/bin/script-t 2>/var/log/script/$USER-$UID-' date +%y%m%d%h%m '. Date-a-f-q/var/log/script/$USER -$UID-' date +%y%m%d%h%m '. Logfi

Parameters:

-T indicates the time data for the output recording

-F If you need to output to the log file, you can also view the contents of the log file, you can use the-f parameter. PS: Can be used for teaching, two command line-F can be demonstrated in real time

-a outputs recorded files and appends new content to existing content

-Q To enable the script command to run in silent mode

As shown in the following:

Description

User Login to perform the operation will be recorded in the/var/log/script/*.log (save the log directory according to your own definition), we can use more, vi and other commands to view the log in the directory.

Attention:

• I have recorded the user ID greater than 0 here, you can re-login users, casually manipulate some commands to view the generated files.

• The root user ID is 0, the new normal user's UID is starting from 500 (through Cat/etc/password can see the user's UID), if you do not want to record the root user's operation, you change the value of if inside 500:if [$UID-ge 500];

2.3 Creating a directory, granting permissions

Do you think that writing this if statement is done in the/etc/profile file, and the directory is not created:

[[email protected] ~]# mkdir/var/log/script# better give a 777 permission, I use 744 of the permissions anyway also effective [[email protected] ~]# chmod 777/var/log/script/

2.4 Making the environment effective

[Email protected] ~]# Source/etc/profile

3. Verification

OK, you can quit the Linux terminal, log in again, and then tap a few commands to see.

[Email protected] ~]# cd/var/log/script/[[email protected] script]# lltotal 16-rw-r--r--1 root root (15:46 R) oot-0-201712221545.date-rw-r--r--1 root root 111 Dec 15:46 root-0-201712221545.log-rw-r--r--1 root root 0 Dec 22 15:46 root-0-201712221546.date-rw-r--r--1 root root 5693 Dec 15:46 root-0-201712221546.log

As you can see, in the/var/log/script directory, files with the log and data suffixes have been generated, and the root user and UID number 0 are also seen.

. LOG: Record the operation

. Data: Can play back operations

We use scriptreplay back and forth operation, look at the effect such as:

[Email protected] script]# Scriptreplay root-0-201712221545.date root-0-201712221545.log

Note: specify "time file. Data" and then "command file. Log", and don't turn it upside down .

The above is also a record of all the user's operations, and can also be viewed at any time, the equivalent of a replay function, like video, and then locate who the problem is easy to find reasons.

Linux system monitoring: Record user operation track, who moved server