記錄每一個 user 所下過的指令

2013-08-13 11:32

 

1. 在 /etc/profile、/etc/bashrc 中加入

 
PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -t "$USER[$$] $SSH_CONNECTION")'
 

 

2. 在 /etc/syslog.conf 加入

 
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console
 
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
 
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
 
# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog
 
 
# Log cron stuff
cron.*                                                  /var/log/cron
 
# Everybody gets emergency messages
*.emerg                                                 *
 
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler
 
# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
 
*.*                                                     @10.39.106.214
user.notice                                             /var/log/userlog
 

 

3. 重新啟動 syslog deamon

 
service syslog restart
 

 

4. log 如下

 
Aug 13 14:21:32 occas01 root[4782] : ls
Aug 13 14:21:34 occas01 root[4782] : ls -la
Aug 13 14:21:38 occas01 root[4782] : cat .bashrc
Aug 13 14:21:52 occas01 root[4782] : vi .bash_profile
Aug 13 14:21:55 occas01 root[4782] : cat .bash_profile
Aug 13 14:21:56 occas01 root[4782] : pwd
Aug 13 14:22:06 occas01 root[4782] : cat /etc/skel/.bash_profile
Aug 13 14:22:35 occas01 sshd[10088]: Connection closed by 10.39.102.100
Aug 13 14:24:49 occas01 root[4782] : cd ..
Aug 13 14:24:49 occas01 root[4782] : ls
Aug 13 14:24:51 occas01 root[4782] : ls
Aug 13 14:24:58 occas01 root[4782] : vi profile
Aug 13 14:25:04 occas01 root[4782] : cat /etc/profile
Aug 13 14:27:35 occas01 sshd[13962]: Connection closed by 10.39.102.100
Aug 13 14:29:11 occas01 su: pam_unix(su-l:session): session closed for user test
Aug 13 14:29:11 occas01 root[4992] : su - test
Aug 13 14:29:12 occas01 root[4992] : ls
Aug 13 14:29:18 occas01 root[4782] : ls
Aug 13 14:29:20 occas01 su: pam_unix(su-l:session): session closed for user root
Aug 13 14:29:20 occas01 mplususer[4736] 172.27.7.60 57535 10.39.106.201 22: su -
Aug 13 14:29:20 occas01 mplususer[4736] 172.27.7.60 57535 10.39.106.201 22: ls
Aug 13 14:29:22 occas01 sshd[4714]: pam_unix(sshd:session): session closed for user mplususer
Aug 13 14:29:27 occas01 root[4992] : cat /etc/passwd
Aug 13 14:29:30 occas01 sshd[4924]: pam_unix(sshd:session): session closed for user mplususer
 

 

標籤:

| |

返回