Under Linux You can use the history command to view all the history of a user, while the shell command action record is saved by default in the. bash_history file in the user's directory. Through this file can query the execution history of the shell command, to facilitate the maintenance of the system audit and troubleshooting, while the server was attacked by hackers, you can also query the history of the server to log the command operation. But hackers in the invasion, in order to erase traces, will delete the. bash_history file, this will need to properly back up the file.
The default history command can only view the history of a user, but it does not distinguish between the time each user operates the command. This is quite inconvenient for troubleshooting. The workaround is to include the following four lines in the/ETC/BASHRC file to have the history command automatically record the execution time of all shell commands:
Copy Code code as follows:
histfilesize=4000
histsize=4000
histtimeformat= '%F%T '
Export Histtimeformat
Histfilesize represents the total number of records saved in a. bash_history file, the default value being the total number of records that 1000;histsize defined history command output; Histtimeformat defines a time display format that is formatted with the date The "+"%F%T "" is the same after the command, and Histtimeformat passes the value to the history command as the history time variable.
Advanced Skills
Although the above can record time, but can not be used for audit purposes, it is easy to be tampered with hackers or lost. The following method details the time of the user, IP address, Shell command, and detailed operation logged on to the system. And keep this information in a secure place in a file for system audits and troubleshooting.
The following code into the/etc/profile file, you can achieve the above functions.
Copy Code code as follows:
#Record history operation
user_ip= ' who-u am I 2>/dev/null |awk ' {print $NF} ' |sed-e ' s/[()]//g '
Logname= ' who-u am I |awk ' {print $} '
Histdir=/user/share/.history
If [-Z $USER _ip]
Then
User_ip= ' hostname '
Fi
if [!-D $HISTDIR]
Then
Mkdir-p $HISTDIR
chmod 777 $HISTDIR
Fi
if [!-D $HISTDIR/${logname}]
Then
Mkdir-p $HISTDIR/${logname}
chmod $HISTDIR/${logname}
Fi
Export histsize=4000
dt= ' date + '%y%m%d_%h%m%s '
Export histfile= "$HISTDIR/${logname}/${user_ip}.history. $DT"
Export histtimeformat= "[%y.%m.%d%h:%m:%s]"
chmod $HISTDIR/${logname}/*.history* 2>/dev/null
Resources
<< high-performance Linux Server Construction-system security, troubleshooting, automated operation and cluster architecture >> the book