Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to view all the historical operations of users in linux". The explanation in the article is simple and clear and easy to learn and understand. Please follow the editor's train of thought to study and learn "how to view all historical operations of users in linux".

Under linux, you can use the history command to view all the historical actions of the user, while the record of the shell command operation is saved by default in the .bash _ history file in the user directory. Through this file, you can query the execution history of shell commands, which is helpful for operation and maintenance personnel to carry out system audit and troubleshooting. At the same time, after the server is attacked by hackers, you can also query the historical command operations of hackers logging in to the server. However, after the intrusion, in order to erase the trace, the hacker will delete the .bash _ history file, which requires a reasonable backup of this file.

The default history command can only view the user's history of operations, but cannot distinguish when each user operates the command. This is quite inconvenient for troubleshooting. The workaround is to add the following four lines to the / etc/bashrc file to have the history command automatically record the execution time of all shell commands:

The copy code is as follows:

Histfilesize=4000

Histsize=4000

Histtimeformat='%f% t'

Export histtimeformat

Histfilesize represents the total number of records saved in the .bash _ history file. The default value is 1000. HistSize defines the total number of records output by the history command; histtimeformat defines the time display format, which is the same as the "+"% f% t "" after the date command; and histtimeformat passes the value to the history command as a time variable of history.

Advanced skills

Although the above one can record the time, it can not be used for audit purposes and can be easily tampered with or lost by hackers. The following method records in detail the user who logged in to the system, the ip address, the shell command, and the time of the detailed operation. The information is stored in a safe place in the form of a file for system audit and troubleshooting.

You can do this by putting the following code into the / etc/profile file.

The copy code is as follows:

# record history operation

User_ip= `who-u am i 2 > / dev/null | awk'{print $nf}'| sed-e's / [()] / / g``

Logname= `who-u am i | awk'{print $1}'`

Histdir=/user/share/.history

If [- z $user_ip]

Then

User_ip= `hostname`

Fi

If [!-d $histdir]

Then

Mkdir-p $histdir

Chmod 777$ histdir

Fi

If [!-d $histdir/$ {logname}]

Then

Mkdir-p $histdir/$ {logname}

Chmod 300$ histdir/$ {logname}

Fi

Export histsize=4000

Dt= `date + "% y%m%d_%h%m%s" `

Export histfile= "$histdir/$ {logname} / ${user_ip} .history. $dt"

Export histtimeformat= "[% y.%m.%d% h:%m:%s]"

Chmod 600$ histdir/$ {logname} / * .history* 2 > / dev/null

Thank you for your reading, the above is the content of "how to view all the historical operations of users in linux". After the study of this article, I believe you have a deeper understanding of how to view all the historical operations of users in linux. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.