The method of user audit under Linux system

Create audit log Directory

The code is as follows:

Mkdir-p/var/log/user_audit

Create user audit log files;

The code is as follows:

Touch/var/log/user_audit/user_audit.log

Assigning files to users with low privileges

The code is as follows:

Chown Nobody:nobody/var/log/user_audit/user_audit.log

Give everyone permission to write

The code is as follows:

chmod 002/var/log/user_audit/user_audit.log

Give all users Append permissions

The code is as follows:

Chattr +a/var/log/user_audit.log

Edit/etc/profile Add the following content;

The code is as follows:

Export History_file=/var/log/user_audit/user_audit.log

Export prompt_command= ' {date ' +%y-%m-%d%T ##### $ (Who am I |awk "{print $" "$" $})

Instance

Many people use the server permissions are really bad management, misoperation and other causes of failure, can not be investigated, the best way is to record the user operation in real time to the log, and pushed to the remote log server. Including (User login time, directory, Operation command and time stamp, etc.). To be traced afterwards.

Environment: centos5.5 x86_64 2 #备注: Shut down the firewalls and selinux of the two hosts. In action.

(i) Log server ip:10.0.2.164

(ii) Client server ip:10.0.2.165

1. First on the log server 10.0.2.164 host operation:

The code is as follows:

[Root@mysql-b ~]# echo "*.info/var/log/client" >>/etc/syslog.conf

#配置日志保存文件, put forward the *.info of the first line of the document. Put one line alone.

[Root@mysql-b ~]# service syslog restart #重启syslog日志服务.

Shutting down kernel logger: [OK]

Shutting down system logger: [OK]

Starting system logger: [OK]

Starting kernel logger: [OK]

[Root@mysql-b ~]# Vim/etc/sysconfig/syslog #接收客户端写入.

Change syslogd_options= "-M 0" to: syslogd_options= "-M 1-r"

2. Then operate on the client server 10.0.2.165 host:

The code is as follows:

[Root@mysql-a ~]# vim/etc/profile #添加如下行.

Export prompt_command= ' {msg=$ (History 1 | {read x y; echo $y;}); Logger "[euid=$ (WhoAmI)]": $ (Who am I): [' pwd '] "$msg"; }'

[Root@mysql-a ~]# source/etc/profile #重新手动source更新.

2.1. Client Modify log Server 10.0.2.165 host operation:

The code is as follows:

[Root@mysql-a ~]# echo "10.0.2.164 logserver" >>/etc/hosts #日志服务器地址.

[Root@mysql-a ~]# echo "*.info @logserver" >>/etc/syslog.conf

#将info日志推送到日志服务器, put forward the *.info of the first line of the document. Put one line alone.

[root@mysql-a ~]#/etc/init.d/syslog restart #重启syslog日志.

Shutting down kernel logger: [OK]

Shutting down system logger: [OK]

Starting system logger: [OK]

Starting kernel logger: [OK]

3. Test, Test and operate on the 10.0.2.165 host on the client host:

The code is as follows:

[Root@mysql-a ~]# Test

[Root@mysql-a ~]# echo "This is A Test 1"

This is a test 1

[Root@mysql-a ~]# echo "This is A Test 2"

This is a test 2

[Root@mysql-a ~]# echo "This is A Test 3"

This is a test 3

[Root@mysql-a ~]# echo "This is A Test 4"

This is a test 4

[Root@mysql-a ~]# echo "This is A Test 5"

This is a test 5

4. Return the log server 10.0.2.164 the host to see the results, whether the client host to perform the operation?

The code is as follows:

[Root@mysql-b ~]# Cat/var/log/client

APR 6 10:37:55 10.0.2.165 root: [euid=root]:root pts/1 Apr 6 10:37 (10.0.2.188): [/root]echo ' This is a test1 '

APR 6 10:37:59 10.0.2.165 root: [euid=root]:root pts/1 Apr 6 10:37 (10.0.2.188): [/root]echo ' This is a test2 '

APR 6 10:38:01 10.0.2.165 root: [euid=root]:root pts/1 Apr 6 10:37 (10.0.2.188): [/root]echo ' This is a test3 '

APR 6 10:38:04 10.0.2.165 root: [euid=root]:root pts/1 Apr 6 10:37 (10.0.2.188): [/root]echo ' This is a test4 '

APR 6 10:38:06 10.0.2.165 root: [euid=root]:root pts/1 Apr 6 10:37 (10.0.2.188): [/root]echo ' This is a test5 '

The return parameters are: #操作时间 #操作IP #有效用户 #实际登陆时间 #路径 #使用的命令