Logs of all Linux User Logon operations are recorded by logging on to the IP address

Log on to the IP address to record the logs of all Linux User Logon operations. For Linux user operation records, the command history is generally used to view the historical records. However, if the records are deleted due to misoperations
In the case of important data, the history command will not be useful. What should we do if we still have historical operation records?
? In fact, we can log on to www.2cto.com by logging on to the IP address to record the historical operations of all user logon operations! The specific operation is in the/etc/profile
Add the following script code to the end of the configuration file: [root @ server ~] # Cat>/etc/profile <EOF> history> USER = 'whoam'> USER_IP = 'Who-u am I 2>/dev/null | awk' {print $ NF} '| sed-e's/[()] // g''> if ["$ USER_IP" = ""]; then> USER_IP = 'hostname'> fi> if [! -D/tmp/history]; then> mkdir/tmp/history> chmod 777/tmp/history> fi> if [! -D/tmp/history/$ {LOGNAME}]; then> mkdir/tmp/history/$ {LOGNAME}> chmod 300/tmp/history/$ {LOGNAME}> fi> export HISTSIZE = 4096> DT = 'date +" % Y-% m-% d _ % H: % M: % S "'> export HISTFILE ="/tmp/history/$ {LOGNAME}/$ {USER }@$ {USER_IP} _ history. $ DT "> chmod 600/tmp/history/$ {LOGNAME}/* history * 2>/dev/null> EOF [root @ server ~] # Source/etc/profile [root @ server ~] # Logout # log out of the system and log on again. The logs are recorded in the/tmp/history/directory.
The above script code shows that a new history directory (which can be customized) is created under/tmp of the system ), all users and IP addresses that have logged on to the system are recorded in the directory. This is also one of the methods for monitoring system security. After a series of operations, go to the/tmp/history directory to view the historical records: www.2cto.com [root @ server ~] # Cd/tmp [root @ server tmp] # ll total 24drwx ------ 2 root 4096 2012-10-11 gconfd-rootdrwxrwxrwx 3 root 4096 2012-10-11 historydrwx ------ 2 root 4096 08-11 0keyring-Ki8IOJsrwxr-xr-x 1 root 0 2012-10-11 mapping-rootsrw ------- 1 root 0 2012-10-11 scim-panel-socket: 0-rootdrwx ------ 2 root 4096 2012-10-11 ssh-jPPigl3182drwx ------ 2 root 4096 10-10 ssh-KDmPtr3350 [root @ server tmp] # cd history/[root @ server history] # ll total 4d-wx ------ 2 root 4096 10-10 root [root @ server history] # cd root/[root @ server root] # ll total 4-rw ------- 1 root 37 10-10 root@192.168.1.96_history.2012-10-10_21: 16: 42