Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to use the History command in linux. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

1. Add time to the command history

By default, as shown in the following figure, there is no command execution time, which is not conducive to audit analysis.

Set the export HISTTIMEFORMAT='%F% T'to include the command execution time in the history.

Note that there is a space between "% T" and the following "'", otherwise there is no division between time and command when viewing history.

To do this once and for all, this configuration can be written in / etc/profile, of course, if you want to configure the specified user, this configuration can be written in / home/$USER/.bash_profile.

This article will demonstrate / etc/profile as an example.

For the configuration to take effect immediately, execute source / etc/profile, and then we look at the history record, and we can see that the record contains the command execution time.

If you want to achieve more detailed records, such as one-to-one correspondence of users who have logged in to the system, IP address, operation command and operation time, you can do so by adding the following code to / etc/profile

Export HISTTIMEFORMAT= "\% F\% T`who\-u ami 2 > / dev/null | awk'{print $NF}'| sed\-e's / [()] / / g```whoami`

Note that spaces are required.

After the / etc/profile is modified and loaded, the history records are as follows, and the time, IP, user, and executed commands all correspond one to one.

Through the above configuration, we can basically meet the daily audit work, but friends who know the system should easily see that this method only sets the environment variable, and the attacker unset the environment variable, or delete the command history directly, which is undoubtedly a disaster for security emergencies.

In view of this problem, how should we deal with it? the following is our focus today. By modifying the bash source code to send history records to the remote logserver through syslog, this greatly increases the difficulty for attackers to destroy the integrity of history records.

2. Modify the bash source code to support syslog records

First of all, download the bash source code, which can be downloaded from gnu.org. Without detailed instructions here, the system needs to install a compilation environment such as gcc. We use the bash5.4 version to do the demonstration.

Modify the source code: bashhist.c

Modify the source code config-top.h and uncomment the line / # define SYSLOG_HISTORY/

The compilation and installation process is not described in detail. The compilation parameter used in this article is:. / configure-- prefix=/usr/local/bash. The corresponding directory after successful installation is as follows:

At this point, you can modify the user shell environment in / etc/passwd, or you can directly replace the original bash binary file with the compiled file, but it is best to back up the original file.

There are two points to note when replacing:

1. Be sure to give executable permission. There is by default, but sometimes there is no executable permission after downloading to windows system and then uploading. You must be sure here, or you will regret it.

2. The original bash is occupied during replacement. You can modify the original user's bash environment and then replace it.

Looking at the results, we find that the history record has been written to / var/log/message.

If you want to write to the remote logserver, you need to configure the syslog service. The specific configuration is not explained in detail here. You will study it by yourself. The effect of sending it to the remote logserver is shown in the following figure.

Through the above means, we can effectively ensure the integrity of history records and prevent attackers from erasing operations by canceling environment variables and deleting history records after logging on to the system, providing complete original data for security audit and emergency response.

This is the end of this article on "how to use History commands in linux". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.