标签:shared details localhost mon histsize ado share nes 没有
网上查了实现命令审计大概有以下几种:
查不到了,改天再补充
以下环境基于CentOS 6
# history时间格式 sed -i ‘/^HISTSIZE/a HISTTIMEFORMAT="%F %T "‘ /etc/profile # 命令审计 cat > /etc/profile.d/cmd_log.sh << ‘EOF‘ readonly PROMPT_COMMAND=‘{ cmd=$(history 1 | { read a b c d; echo "$d"; });msg=$(who am i |awk "{print \$2,\$5}");logger -i -p local1.notice "$msg $USER $PWD # $cmd"; }‘ EOF # 修改rsyslog sed -i ‘s@*\.info.*@*.info;mail.none;authpriv.none;cron.none;local1.none /var/log/messages@‘ /etc/rsyslog.conf sed -i ‘/^local7/a local1.notice /var/log/cmd.log‘ /etc/rsyslog.conf/etc/init.d/rsyslog restart # cmd.log日志轮询 cat > /etc/logrotate.d/cmd_log << ‘EOF‘ /var/log/cmd.log { monthly missingok rotate 12 sharedscripts postrotate /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true endscript } EOF
以上没有用/etc/logrotate.d/syslog去轮替/var/log/cmd.log,因为syslog默认周期是采用/etc/logrotate.conf每周轮替一个文件,登录系统敲打的命令没有那么多,自定义一个月时间轮替一次。
[root@localhost ~]# cat /etc/logrotate.d/syslog /var/log/cron /var/log/maillog /var/log/messages /var/log/secure /var/log/spooler { sharedscripts postrotate /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true endscript } [root@localhost ~]# head /etc/logrotate.conf # see "man logrotate" for details # rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4 # create new (empty) log files after rotating old ones create
标签:shared details localhost mon histsize ado share nes 没有
原文地址:http://www.cnblogs.com/hjfeng1988/p/6808996.html
