Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to achieve user audit under the Linux system". The content of the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "how to achieve user audit under the Linux system".

Create an audit log directory

The code is as follows:

Mkdir-p / var/log/user_audit

Create a user audit log file

The code is as follows:

Touch / var/log/user_audit/user_audit.log

Assign files to low-privilege users

The code is as follows:

Chown nobody:nobody / var/log/user_audit/user_audit.log

Give everyone write permission

The code is as follows:

Chmod 002 / var/log/user_audit/user_audit.log

Give all users additional permissions

The code is as follows:

Chattr + a / var/log/user_audit.log

Edit / etc/profile add the following

The code is as follows:

Export HISTORY_FILE=/var/log/user_audit/user_audit.log

Export PROMPT_COMMAND=' {date "+% y-%m-%d% T # $(who am i | awk" {print\ $1\ "\ $2\"\ "\ $5}")

Example

The server permissions commonly used by many people are really difficult to manage, misoperation and other failures, can not be investigated, the best way is to record user operations in real time to the log, and push to the remote log server. Including (user login time, directory, operation command and timestamp, etc.). So that it can be traced afterwards.

Environment: centos5.5 X8664 2 # Note: turn off the firewall and selinux of the two hosts. It's in operation.

(1) Log server IP:10.0.2.164

(2) client / server IP:10.0.2.165

1. First operate on the log server 10.0.2.164 host:

The code is as follows:

[root@MySQL-B ~] # echo "* .info / var/log/client" > > / etc/syslog.conf

# configure the log to save the file and bring up the *. Info on the first line of the file. Put on a separate line.

[root@MySQL-B ~] # service syslog restart # restart the syslog log service.

Shutting down kernel logger: [OK]

Shutting down system logger: [OK]

Starting system logger: [OK]

Starting kernel logger: [OK]

[root@MySQL-B ~] # vim / etc/sysconfig/syslog # receives client writes.

Change SYSLOGD_OPTIONS= "- m 0" to: SYSLOGD_OPTIONS= "- m 1-r"

two。 Then operate on the client server 10.0.2.165 host:

The code is as follows:

[root@MySQL-A ~] # vim / etc/profile # is added as shown below.

Export PROMPT_COMMAND=' {msg=$ (history 1 | {read x y; echo $y;}); logger "[euid=$ (whoami)]": $(whoami): [`pwd`] "$msg";}'

[root@MySQL-A ~] # source / etc/profile # re-manual source update.

2.1. The client modifies the operation on the log server 10.0.2.165 host:

The code is as follows:

[root@MySQL-A ~] # echo "10.0.2.164 logserver" > > / etc/hosts # log server address.

[root@MySQL-A ~] # echo "* .info @ logserver" > > / etc/syslog.conf

# push the info log to the log server and bring up the * .info on the first line of the file. Put on a separate line.

[root@MySQL-A ~] # / etc/init.d/syslog restart # restart syslog log.

Shutting down kernel logger: [OK]

Shutting down system logger: [OK]

Starting system logger: [OK]

Starting kernel logger: [OK]

3. Test, test and operate on the 10.0.2.165 host on the client host:

The code is as follows:

[root@MySQL-A ~] # test

[root@MySQL-A ~] # echo "this is a test 1"

This is a test 1

[root@MySQL-A ~] # echo "this is a test 2"

This is a test 2

[root@MySQL-A ~] # echo "this is a test 3"

This is a test 3

[root@MySQL-A ~] # echo "this is a test 4"

This is a test 4

[root@MySQL-A ~] # echo "this is a test 5"

This is a test 5

4. Return the log server 10.0.2.164 host to see the result. Do you want to record the actions performed by the client host?

The code is as follows:

[root@MySQL-B ~] # cat / var/log/client

Apr 6 10:37:55 10.0.2.165 root: [euid=root]: root pts/1 Apr 6 10:37 (10.0.2.188): [/ root] echo "this is a test1"

Apr 6 10:37:59 10.0.2.165 root: [euid=root]: root pts/1 Apr 6 10:37 (10.0.2.188): [/ root] echo "this is a test2"

Apr 6 10:38:01 10.0.2.165 root: [euid=root]: root pts/1 Apr 6 10:37 (10.0.2.188): [/ root] echo "this is a test3"

Apr 6 10:38:04 10.0.2.165 root: [euid=root]: root pts/1 Apr 6 10:37 (10.0.2.188): [/ root] echo "this is a test4"

Apr 6 10:38:06 10.0.2.165 root: [euid=root]: root pts/1 Apr 6 10:37 (10.0.2.188): [/ root] echo "this is a test5"

The returned parameters are: # operation time # operation IP # valid user # actual login time # path # command used

Thank you for your reading, the above is the content of "how to achieve user audit under the Linux system". After the study of this article, I believe you have a deeper understanding of how to achieve user audit under the Linux system. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.