linux 日志审计 w命令,Linux系统命令审计

命令审计

1、 创建审计日志文件存放目录：

[root@Centos-1 ~]# mkdir -p /tmp/logs/host_log

2、 更改目录权限使其可写、防删除：

[root@Centos-1 ~]# chmod 777 /tmp/logs/host_log

[root@Centos-1 ~]# chmod +t /tmp/logs/host_log

3、 编辑/etc/profile，在文件最后增加如下：

[root@Centos-1 ~]# vim /etc/profile

#命令审计

if [ ! -d /tmp/logs/host_log/${LOGNAME} ]

then

mkdir -p /tmp/logs/host_log/${LOGNAME}

chattr +a #时该文件内容只可追加 /tmp/logs/host_log/${LOGNAME}

fi

export HISTORY_FILE="/tmp/logs/host_log/${LOGNAME}/commond_history.log"

export PROMPT_COMMAND='{ date "+%Y-%m-%d %T ##### $(who am i |awk "{print \$1\" \"\$2\" \"\$5}") #### $(history 1 | { read x cmd; echo "$cmd"; })"; } >>$HISTORY_FILE'

4、 查看效果：

[root@Centos-1 ~]# ls /tmp/logs/host_log/

root

[root@Centos-1 ~]# ls /tmp/logs/host_log/root/

commond_history.log

[root@Centos-1 ~]# cat /tmp/logs/host_log/root/commond_history.log

2017-09-27 13:14:22 ##### root pts/1 (192.168.15.253) #### ipvsadm -e -t 192.168.14.13:80 -r 192.168.14.127 -w 0

2017-09-27 13:14:27 ##### root pts/1 (192.168.15.253) #### ls

2017-09-27 13:14:56 ##### root pts/1 (192.168.15.253) #### w

2017-09-27 13:15:31 ##### root pts/1 (192.168.15.253) #### pwd

2017-09-27 13:15:35 ##### root pts/1 (192.168.15.253) #### ls

[root@Centos-1 ~]# rm -f /tmp/logs/host_log/root/commond_history.log

rm: 无法删除"/tmp/logs/host_log/root/commond_history.log": 不允许的操作