The Shell history record audit and monitoringHttp://netkiller.github.io/journal/shell.history.html Mr.Neo Chen(Chen Jingfeng),Netkiller, Bg7nyt
China Guangdong province Shenzhen Khe Sanh Street, Longhua District, civil Administration
518131
+86 13113668890
+86 755 29812080
<[email protected]>
Copyright? Http://netkiller.github.io
Copyright Notice
Reprint please contact the author, please be sure to indicate the original source of the article and the author's information and this statement.
|
Document Source: |
Http://netkiller.github.io |
Http://netkiller.sourceforge.net |
|
2014-12-25
Summary my series of documents
Netkiller Architect Codex |
Netkiller Developer Codex |
Netkiller PHP Codex |
Netkiller Python Codex |
Netkiller Testing Codex |
Netkiller Cryptography Codex |
Netkiller Linux Codex |
Netkiller Debian Codex |
Netkiller CentOS Codex |
Netkiller FreeBSD Codex |
Netkiller Shell Codex |
Netkiller Security Codex |
Netkiller Web Codex |
Netkiller Monitoring Codex |
Netkiller Storage Codex |
Netkiller Mail Codex |
Netkiller Docbook Codex |
Netkiller Version Codex |
Netkiller Database Codex |
Netkiller PostgreSQL Codex |
Netkiller MySQL Codex |
Netkiller NoSQL Codex |
Netkiller LDAP Codex |
Netkiller Network Codex |
Netkiller Cisco IOS Codex |
Netkiller H3C Codex |
Netkiller Multimedia Codex |
Netkiller Perl Codex |
Netkiller Amateur Radio Codex |
Netkiller DevOps Codex |
Directory
- 1. What is the shell history of offsite traces and monitoring
- 2. What to leave the shell history records offsite and monitor
- 3. When to make a historical record of an offsite leave Mark
- 4. Where to make historical records offsite marks
- 5. Roles and Permissions
- 6. How to achieve the historical record of the remote leave Mark
- 6.1. Node configuration
- 6.2. Push End
- 6.3. Collection End
- 7. Extended reading
1. What is the shell history of offsite traces and monitoring
First of all to talk about what is "historical records offsite", history is the ~/.bash_history file, different shell names may be different, it will record each time the user on the keyboard to hit the command, we can query the history by the following command.
$ history | Head 1009 ls/www 1010 vim Makefile 1011 cat Makefile 1012 make index.html 1013 vim Makefile 1014
make index.html 1015 vim Makefile 1016 make index.html 1017 Vim Makefile 1018 make index.html $ history | Tail find/tmp/var/2001 ll 2002 CD workspace/journal/2003 s 2004 LS 2005 make Shell.html 2006 Cat ~/.bash_history history | Head | tail $ cat ~/.bash _history | Head-n Cat/etc/issuecat/etc/resolv.confifconfigcat/etc/resolv.confdmddfdf-tcat/etc/fstabcat/etc/issueuname- APS AXCD/SRV/LSCD WORKSPACE/LSDFDF-TDFLSCD. Ls
Due to space limitations, I used the head,tail command to limit the display length.
Now I am looking at "monitoring", monitoring is to filter the ~/.bash_history file within the string, to meet the criteria, to make alarm operations and so on. For example, we found that the AddUser command should immediately notify the relevant personnel to check.
2. What to leave the shell history records offsite and monitor
First we will leave the user to operate the mark, in order to facilitate the access at any time, we need to know that the system administrator did those operations, but also for the audit work. For example, one of the aspects of our development work is code Review, which helps us to detect bugs in advance, as well as unreasonable practices, even artificial backdoor implants, and so on.
The historical record is the sysop review of operation and maintenance work (Operation and maintenance review).
Next is monitoring, note that the ~/.bash_history monitoring here is not real-time monitoring, because only the user launched the shell before the ~/.bash_history file can be saved. So monitoring is lagging, but enough to help us know that the system has changed so much earlier.
3. When to make a historical record of an offsite leave mark
This system can be deployed in real time without impacting existing business.
4. Where to make historical records offsite marks
Historical records are divided into two parts, the first part is a node, the second part is the collection end, collecting section is also responsible for monitoring and alarm. The node sends the collected data to the collection end, and then collects the end archive log.
5. Roles and Permissions
The highest authority is responsible for deployment
6. How to achieve the historical record of the remote leave mark6.1. Node configuration
First change the history format, the default is only the line number, I need to record each command input point in time.
Cat >>/ETC/BASHRC <<eofexport histtimeformat= "%y-%m-%d-%h:%m:%s" EOF
Now enter the history command and you can see the point in time
# History 741 2014-12-24-10:06:26 ll 742 2014-12-24-10:06:40 ls 743 2014-12-24-10:06:44 ll 744 2014-12-24-10:06:47 ls 745 2014-12-24-10:58:13 History
6.2. Push End
$ git clone https://github.com/netkiller/logging.git$ cd logging$ python3 setup.py sdist$ python3 setup.py Install
Configure startup scripts to open files Logging/init.d/uhistory
host=127.0.0.1 #此处为收集端的IP地址 # Port | User #-------------------# Configure port number with users done << EOF1220 neo1221 jam1222 sameof
6.3. Collection End
$ git clone https://github.com/netkiller/logging.git$ cd logging$ python3 setup.py sdist$ python3 setup.py Install
Configure the collection port, edit the file logging/init.d/ucollection
Done << eof1220/backup/neo/.bash_history1221/backup/jam/.bash_history1222/backup/sam/.bash_historyeof
7. Extended Reading
"Log archiving and data mining"
The Shell history record audit and monitoring