The Shell history record audit and monitoring

The Shell history record audit and monitoringHttp://netkiller.github.io/journal/shell.history.html Mr.Neo Chen(Chen Jingfeng),Netkiller, Bg7nyt

China Guangdong province Shenzhen Khe Sanh Street, Longhua District, civil Administration
518131
+86 13113668890
+86 755 29812080
<[email protected]>

Copyright? Http://netkiller.github.io

Copyright Notice

Reprint please contact the author, please be sure to indicate the original source of the article and the author's information and this statement.

Document Source: Http://netkiller.github.io Http://netkiller.sourceforge.net

2014-12-25

Summary my series of documents

Netkiller Architect Codex	Netkiller Developer Codex	Netkiller PHP Codex	Netkiller Python Codex	Netkiller Testing Codex
Netkiller Cryptography Codex	Netkiller Linux Codex	Netkiller Debian Codex	Netkiller CentOS Codex	Netkiller FreeBSD Codex
Netkiller Shell Codex	Netkiller Security Codex	Netkiller Web Codex	Netkiller Monitoring Codex	Netkiller Storage Codex
Netkiller Mail Codex	Netkiller Docbook Codex	Netkiller Version Codex	Netkiller Database Codex	Netkiller PostgreSQL Codex
Netkiller MySQL Codex	Netkiller NoSQL Codex	Netkiller LDAP Codex	Netkiller Network Codex	Netkiller Cisco IOS Codex
Netkiller H3C Codex	Netkiller Multimedia Codex	Netkiller Perl Codex	Netkiller Amateur Radio Codex	Netkiller DevOps Codex

Directory

• 1. What is the shell history of offsite traces and monitoring
• 2. What to leave the shell history records offsite and monitor
• 3. When to make a historical record of an offsite leave Mark
• 4. Where to make historical records offsite marks
• 5. Roles and Permissions
• 6. How to achieve the historical record of the remote leave Mark
  • 6.1. Node configuration
  • 6.2. Push End
  • 6.3. Collection End
• 7. Extended reading

1. What is the shell history of offsite traces and monitoring

First of all to talk about what is "historical records offsite", history is the ~/.bash_history file, different shell names may be different, it will record each time the user on the keyboard to hit the command, we can query the history by the following command.

$ history | Head 1009  ls/www 1010  vim Makefile 1011  cat Makefile 1012 make  index.html 1013  vim Makefile 1014
   
    make index.html 1015  vim Makefile 1016 make  index.html 1017  Vim Makefile 1018 make  index.html $ history | Tail  find/tmp/var/2001  ll 2002  CD workspace/journal/2003  s 2004  LS 2005  make Shell.html 2006  Cat ~/.bash_history history  | Head  | tail $ cat ~/.bash _history | Head-n Cat/etc/issuecat/etc/resolv.confifconfigcat/etc/resolv.confdmddfdf-tcat/etc/fstabcat/etc/issueuname- APS AXCD/SRV/LSCD WORKSPACE/LSDFDF-TDFLSCD. Ls
   

Due to space limitations, I used the head,tail command to limit the display length.

Now I am looking at "monitoring", monitoring is to filter the ~/.bash_history file within the string, to meet the criteria, to make alarm operations and so on. For example, we found that the AddUser command should immediately notify the relevant personnel to check.

2. What to leave the shell history records offsite and monitor

First we will leave the user to operate the mark, in order to facilitate the access at any time, we need to know that the system administrator did those operations, but also for the audit work. For example, one of the aspects of our development work is code Review, which helps us to detect bugs in advance, as well as unreasonable practices, even artificial backdoor implants, and so on.

The historical record is the sysop review of operation and maintenance work (Operation and maintenance review).

Next is monitoring, note that the ~/.bash_history monitoring here is not real-time monitoring, because only the user launched the shell before the ~/.bash_history file can be saved. So monitoring is lagging, but enough to help us know that the system has changed so much earlier.

3. When to make a historical record of an offsite leave mark

This system can be deployed in real time without impacting existing business.

4. Where to make historical records offsite marks

Historical records are divided into two parts, the first part is a node, the second part is the collection end, collecting section is also responsible for monitoring and alarm. The node sends the collected data to the collection end, and then collects the end archive log.

5. Roles and Permissions

The highest authority is responsible for deployment

6. How to achieve the historical record of the remote leave mark6.1. Node configuration

First change the history format, the default is only the line number, I need to record each command input point in time.

Cat >>/ETC/BASHRC <<eofexport histtimeformat= "%y-%m-%d-%h:%m:%s" EOF

Now enter the history command and you can see the point in time

# History  741  2014-12-24-10:06:26 ll  742  2014-12-24-10:06:40 ls  743  2014-12-24-10:06:44 ll  744  2014-12-24-10:06:47 ls  745  2014-12-24-10:58:13 History

6.2. Push End

$ git clone https://github.com/netkiller/logging.git$ cd logging$ python3 setup.py sdist$ python3 setup.py Install

Configure startup scripts to open files Logging/init.d/uhistory

host=127.0.0.1 #此处为收集端的IP地址 # Port | User #-------------------# Configure port number with users done << EOF1220 neo1221 jam1222 sameof

6.3. Collection End

$ git clone https://github.com/netkiller/logging.git$ cd logging$ python3 setup.py sdist$ python3 setup.py Install

Configure the collection port, edit the file logging/init.d/ucollection

Done << eof1220/backup/neo/.bash_history1221/backup/jam/.bash_history1222/backup/sam/.bash_historyeof

7. Extended Reading

"Log archiving and data mining"

The Shell history record audit and monitoring