The Shell history record audit and monitoring

Source: Internet
Author: User

The Shell history record audit and monitoringHttp://netkiller.github.io/journal/shell.history.html Mr.Neo Chen(Chen Jingfeng),Netkiller, Bg7nyt


China Guangdong province Shenzhen Khe Sanh Street, Longhua District, civil Administration
518131
+86 13113668890
+86 755 29812080
<[email protected]>

Copyright? Http://netkiller.github.io

Copyright Notice

Reprint please contact the author, please be sure to indicate the original source of the article and the author's information and this statement.

Document Source:
Http://netkiller.github.io
Http://netkiller.sourceforge.net

2014-12-25

Summary my series of documents
Netkiller Architect Codex Netkiller Developer Codex Netkiller PHP Codex Netkiller Python Codex Netkiller Testing Codex
Netkiller Cryptography Codex Netkiller Linux Codex Netkiller Debian Codex Netkiller CentOS Codex Netkiller FreeBSD Codex
Netkiller Shell Codex Netkiller Security Codex Netkiller Web Codex Netkiller Monitoring Codex Netkiller Storage Codex
Netkiller Mail Codex Netkiller Docbook Codex Netkiller Version Codex Netkiller Database Codex Netkiller PostgreSQL Codex
Netkiller MySQL Codex Netkiller NoSQL Codex Netkiller LDAP Codex Netkiller Network Codex Netkiller Cisco IOS Codex
Netkiller H3C Codex Netkiller Multimedia Codex Netkiller Perl Codex Netkiller Amateur Radio Codex Netkiller DevOps Codex
Directory
    • 1. What is the shell history of offsite traces and monitoring
    • 2. What to leave the shell history records offsite and monitor
    • 3. When to make a historical record of an offsite leave Mark
    • 4. Where to make historical records offsite marks
    • 5. Roles and Permissions
    • 6. How to achieve the historical record of the remote leave Mark
      • 6.1. Node configuration
      • 6.2. Push End
      • 6.3. Collection End
    • 7. Extended reading
1. What is the shell history of offsite traces and monitoring

First of all to talk about what is "historical records offsite", history is the ~/.bash_history file, different shell names may be different, it will record each time the user on the keyboard to hit the command, we can query the history by the following command.

$ history | Head 1009  ls/www 1010  vim Makefile 1011  cat Makefile 1012 make  index.html 1013  vim Makefile 1014
   
    make index.html 1015  vim Makefile 1016 make  index.html 1017  Vim Makefile 1018 make  index.html $ history | Tail  find/tmp/var/2001  ll 2002  CD workspace/journal/2003  s 2004  LS 2005  make Shell.html 2006  Cat ~/.bash_history history  | Head  | tail $ cat ~/.bash _history | Head-n Cat/etc/issuecat/etc/resolv.confifconfigcat/etc/resolv.confdmddfdf-tcat/etc/fstabcat/etc/issueuname- APS AXCD/SRV/LSCD WORKSPACE/LSDFDF-TDFLSCD. Ls
   

Due to space limitations, I used the head,tail command to limit the display length.

Now I am looking at "monitoring", monitoring is to filter the ~/.bash_history file within the string, to meet the criteria, to make alarm operations and so on. For example, we found that the AddUser command should immediately notify the relevant personnel to check.

2. What to leave the shell history records offsite and monitor

First we will leave the user to operate the mark, in order to facilitate the access at any time, we need to know that the system administrator did those operations, but also for the audit work. For example, one of the aspects of our development work is code Review, which helps us to detect bugs in advance, as well as unreasonable practices, even artificial backdoor implants, and so on.

The historical record is the sysop review of operation and maintenance work (Operation and maintenance review).

Next is monitoring, note that the ~/.bash_history monitoring here is not real-time monitoring, because only the user launched the shell before the ~/.bash_history file can be saved. So monitoring is lagging, but enough to help us know that the system has changed so much earlier.

3. When to make a historical record of an offsite leave mark

This system can be deployed in real time without impacting existing business.

4. Where to make historical records offsite marks

Historical records are divided into two parts, the first part is a node, the second part is the collection end, collecting section is also responsible for monitoring and alarm. The node sends the collected data to the collection end, and then collects the end archive log.

5. Roles and Permissions

The highest authority is responsible for deployment

6. How to achieve the historical record of the remote leave mark6.1. Node configuration

First change the history format, the default is only the line number, I need to record each command input point in time.

Cat >>/ETC/BASHRC <<eofexport histtimeformat= "%y-%m-%d-%h:%m:%s" EOF

Now enter the history command and you can see the point in time

# History  741  2014-12-24-10:06:26 ll  742  2014-12-24-10:06:40 ls  743  2014-12-24-10:06:44 ll  744  2014-12-24-10:06:47 ls  745  2014-12-24-10:58:13 History
6.2. Push End
$ git clone https://github.com/netkiller/logging.git$ cd logging$ python3 setup.py sdist$ python3 setup.py Install

Configure startup scripts to open files Logging/init.d/uhistory

host=127.0.0.1 #此处为收集端的IP地址 # Port | User #-------------------# Configure port number with users done << EOF1220 neo1221 jam1222 sameof
6.3. Collection End
$ git clone https://github.com/netkiller/logging.git$ cd logging$ python3 setup.py sdist$ python3 setup.py Install

Configure the collection port, edit the file logging/init.d/ucollection

Done << eof1220/backup/neo/.bash_history1221/backup/jam/.bash_history1222/backup/sam/.bash_historyeof
7. Extended Reading

"Log archiving and data mining"

The Shell history record audit and monitoring

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.