审计:记录用户执行命令,并上传到日志服务器上
一、编辑/etc/profile
USER_IP=`who -u am i 2>/dev/null|awk '{print $NF}'|sed -e 's/[()]//g'` HISTDIR=/usr/share/.history if [ -z $USER_IP ] then USER_IP=`hostname` fi if [ ! -d $HISTDIR ] then mkdir -p $HISTDIR chmod 777 $HISTDIR fi export HISTSIZE=9999 DT=`date +%Y%m%d_%H%M%S` export HISTFILE="$HISTDIR/${LOGNAME}.${USER_IP}.history.$DT" original_user=${SUDO_USER:-$(pstree -Alsu "$$" | sed -n "s/.*(([^)]*)).*($USER)[^(]*$/1/p")} export HISTTIMEFORMAT="|normal|%F %T|${original_user:-$USER}|$$|" chmod 644 %HISTDIR/${LOGNAME}.*.histroy* 2>/dev/null export PROMPT_COMMAND='builtin history 1 >> $HISTFILE'
二、编辑/etc/rsyslog.d/bash_log.conf
module(load="imfile" PollingInterval="1") input(type="imfile" File="/var/log/.bash_history/*history*" Tag="bash-log" Facility="local7" Severity="debug" deleteStateOnFileDelete="on" )
三、编辑/etc/rsyslog.d/logserver.conf
*.* @1.1.1.1 #log服务器ip