Use PROMPT_COMMAND in Linux to implement audit

This system audit records users, times, and operations. Then, record the information to a file.

1. Configuration

 

1. Add the following two lines of code at the end of the/etc/profile file:

 

 

 

Export HISTORY_FILE =/var/log/'date' + % Y % m''. log

Export PROMPT_COMMAND = '{date "+ % Y-% m-% d % T ##### $ (who am I | awk" {print \ $1 \"\" \ $2 \ "\ $5 }") ####$ (history 1 | {read x cmd; echo "$ cmd" ;}) ";}>> $ HISTORY_FILE'

After adding, save and exit. In this way, any operation command will be viewed in/var/log/date. log. You can also customize directories or files. Allow others to view the data only if they cannot find it. You only need to modify

 

Export HISTORY_FILE =/var/log/'date' + % Y % m''. log

/Etc/profile: This file sets the environment information for each user in the system. When the user logs on for the first time, this file is executed. and from/etc/profile. the configuration file in the d directory Collects shell settings.

 

[Root @ node1 ~] #./Etc/profile or [root @ node1 ~] # Source/etc/profile

Make the change take effect. If no error is reported, the change is successful.

 

Verify whether there is data in the log

 

 

 

[Root @ node1 ~] # More/var/log/201107.log

17:29:08 ##### root pts/2 (192.168.23.250) ###./etc/profile

You can see that there is data in it.

 

You can also use

 

 

 

PROMPT_COMMAND = '{date "+ % Y-% m-% d % T ##### USER: $ user ip: $ SSH_CLIENT PS: $ SSH_TTY ####$ (history 1 | {read x cmd; echo "$ cmd" ;}) ";>>> $ HISTORY_FILE'

The command is different, but the result is the same.

 

This article is from the "badboy" blog