Linux User operation audit record scheme

Many people use the server permissions are really bad management, misoperation and other causes of failure, can not be investigated, the best way is to record the user operation in real time to the log, and pushed to the remote log server. Including (User login time, directory, Operation command and time stamp, etc.). To be traced afterwards.

Environment: centos5.5 x86_64 2 #备注: Shut down the firewalls and selinux of the two hosts. In action.

(i) Log server ip:10.0.2.164

(ii) Client server ip:10.0.2.165

1. First on the log server 10.0.2.164 host operation:

[Root@mysql-b ~]# echo "*.info/var/log/client" >>/etc/syslog.conf

#配置日志保存文件, put forward the *.info of the first line of the document. Put one line alone.

[Root@mysql-b ~]# service syslog restart #重启syslog日志服务.

Shutting down kernel logger: [OK]

Shutting down system logger: [OK]

Starting system logger: [OK]

Starting kernel logger: [OK]

[Root@mysql-b ~]# Vim/etc/sysconfig/syslog #接收客户端写入.

Change syslogd_options= "-M 0" to: syslogd_options= "-M 1-r"

2. Then operate on the client server 10.0.2.165 host:

[Root@mysql-a ~]# vim/etc/profile #添加如下行.

Export prompt_command= ' {msg=$ (History 1 | {read x y; echo $y;}); Logger "[euid=$ (WhoAmI)]": $ (Who am I): [' pwd '] "$msg"; }'

[Root@mysql-a ~]# source/etc/profile #重新手动source更新.

2.1. Client Modify log Server 10.0.2.165 host operation:

[Root@mysql-a ~]# echo "10.0.2.164 logserver" >>/etc/hosts #日志服务器地址.

[Root@mysql-a ~]# echo "*.info @logserver" >>/etc/syslog.conf

#将info日志推送到日志服务器, put forward the *.info of the first line of the document. Put one line alone.

[root@mysql-a ~]#/etc/init.d/syslog restart #重启syslog日志.

Shutting down kernel logger: [OK]

Shutting down system logger: [OK]

Starting system logger: [OK]

Starting kernel logger: [OK]

3. Test, Test and operate on the 10.0.2.165 host on the client host:

[Root@mysql-a ~]# Test

[Root@mysql-a ~]# echo "This is A Test 1"

This is a test 1

[Root@mysql-a ~]# echo "This is A Test 2"

This is a test 2

[Root@mysql-a ~]# echo "This is A Test 3"

This is a test 3

[Root@mysql-a ~]# echo "This is A Test 4"

This is a test 4

[Root@mysql-a ~]# echo "This is A Test 5"

This is a test 5

4. Return the log server 10.0.2.164 the host to see the results, whether the client host to perform the operation?

[Root@mysql-b ~]# Cat/var/log/client

APR 6 10:37:55 10.0.2.165 root: [euid=root]:root pts/1 Apr 6 10:37 (10.0.2.188): [/root]echo ' This is a test1 '

APR 6 10:37:59 10.0.2.165 root: [euid=root]:root pts/1 Apr 6 10:37 (10.0.2.188): [/root]echo ' This is a test2 '

APR 6 10:38:01 10.0.2.165 root: [euid=root]:root pts/1 Apr 6 10:37 (10.0.2.188): [/root]echo ' This is a test3 '

APR 6 10:38:04 10.0.2.165 root: [euid=root]:root pts/1 Apr 6 10:37 (10.0.2.188): [/root]echo ' This is a test4 '

APR 6 10:38:06 10.0.2.165 root: [euid=root]:root pts/1 Apr 6 10:37 (10.0.2.188): [/root]echo ' This is a test5 '

#操作时间 #操作IP #有效用户 #实际登陆时间 #路径 #使用的命令

Author Signature: 51cto blog Imysql

See more highlights of this column: http://www.bianceng.cnhttp://www.bianceng.cn/OS/Linux/