The history command allows you to view all of the user's historical records under Linux. At the same time, the shell command action record is saved by default in the. bash-history file in the user directory, through which you can query the execution history of the shell command, help the operation and maintenance personnel for system audit and troubleshooting, colleagues, after the server has been hacked, you can also use this command or file to query the hacker login server The history command of the line, but sometimes the hacker may delete the. bash_history file, which requires reasonable protection or backup, in order to destroy traces after the server is compromised. bash_history file
Let the history command automatically record the execution time of all shell commands, edit the/ETC/BASHRC file, and finally add the following:
===============
histfilesize=4000
histsize=4000
histtimeformat= '%F%T '
Export Histtimeformat
===============
Make the configuration effective SOURCE/ETC/BASHRC
Where histfilesize defines the total number of records to save the command in the. bash_history file, the default value is 1000, which is set to 4000;histsize defines the total number of records for the output of the history command;
Histtimeformat defines the time display format, where the format is consistent with the "+%f%T" after the date command, and Histtimeformat is passed to the history command as a time variable for history.
With this setting, the history command is executed, showing the detailed execution time of each historical command, for example:
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/7F/36/wKioL1cXAb_BB5v-AAAvAdLdRFc320.png "title=" A67aadfb-9654-4578-981e-edc7bbdb2751.png "alt=" Wkiol1cxab_bb5v-aaavadldrfc320.png "/>
650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>
Preserving the execution history of the shell commands is a useful technique to ensure the security of the server, although the shell has a history function, but this feature is not designed for auditing purposes and is therefore easily tampered with or lost by hackers;
The following describes a method that enables detailed logging of logged-in System users, IP addresses, shell commands, and detailed operating times, and keeps this information in a secure place in a file for system audits and troubleshooting.
Add the following code to the end of the/etc/profile file to achieve the above functions
======================================
#history
user_ip= ' who-u am I 2>/dev/null| awk ' {print $NF} ' |sed-e ' s/[()]//g "
Histdir=/usr/share/.history
If [-Z $USER _ip]
Then
User_ip= ' hostname '
Fi
if [!-D $HISTDIR]
Then
Mkdir-p $HISTDIR
chmod 777 $HISTDIR
Fi
if [!-D $HISTDIR/${logname}]
Then
Mkdir-p $HISTDIR/${logname}
chmod $HISTDIR/${logname}
Fi
Export histsize=4000
dt= ' Date +%y%m%d_%h%m%s '
Export histfile= "$HISTDIR/${logname}/${user_ip}.history. $DT"
Export histtimeformat= "[%y.%m.%d%h:%m:%s]"
chmod $HISTDIR/${logname}/*.history* 2>/dev/null
=======================================
Make the configuration effective source/etc/profile
Each piece of code saves each user's shell command execution history as a file in the/usr/share/.history directory, one folder per user, and each file under the folder is named with the IP address plus the shell command operation time format. The following is a history file of the User01 user executing the shell command, with the following basic effects:
650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s5.51cto.com/wyfs02/m02/7f/36/wkiol1cxaebxpwnzaaaq57ebkfs900.png "title=" 68020d02-0738-40b0-b52d-4e00dc7ba2aa.png "alt=" Wkiol1cxaebxpwnzaaaq57ebkfs900.png "/>
This article is from the "Linux operations self-cultivation" blog, please be sure to keep this source http://ywliyq.blog.51cto.com/11433965/1765711
Shell History command logging function