I do not know if you have experienced such a situation as an operational dimension:
When one day your server abnormal situation, such as a file is inexplicably deleted, or a file has been tampered with, or even a security incident, and so on, then your manager found you want to find out, so you want to see the history of some unusual operation, When you finish the history command in the terminal, see the result, but the enemy is difficult to distinguish, for example, a RM-RF operation is done by one's own operation or someone did not agree to do the operation, at this time the results can not see the detailed information, only see the instructions of the operation, But you want to see exactly when these instructions are executed, which user executes, which terminal executes, even the terminal's SSH remote IP is how many, and so on, you may helpless after a burst of crackling, do not know where to begin. But don't worry, today we're going to offer you a solution:
Notes (Must-read):
- This scenario causes all existing history to become the current date, and if you decide to ignore the previous history, it is recommended that you first tap History-c to clear the history and then follow the steps below.
- The first thing to suggest for a new machine is to deploy the scenario
1, edit/etc/profile
At the end of the file content, add the following:
1 W-uh> $HOME/.cache_tty;grep "' tty|cut-d '/'-f3,4 '"$HOME/.cache_tty|awk '{print $}'> $HOME/. Cache_tty_ip2Export histtimeformat="' whoami ' tty|cut-d '/'-f3,4 ' $ (w-uh> $HOME/.cache_tty;grep"' Tty|Cut-D'/'-F3,4`"$HOME/.cache_tty|awk ' {print $} ')%F%T"
Example diagram:
2, save exit and then tap the History command to verify that it is valid:
1 History
As can be seen already in force:
Linux system operations Audit-enrich your history content