1.所有操作审计记录
在环境变量/etc/profile中加入如下字段,可记录所有用户登录系统的操作
#history bash USER=`whoami` USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'` if [ "$USER_IP" = "" ]; then USER_IP=`hostname` fi if [ ! -d /var/log/history ]; then mkdir /var/log/history chmod 777 /var/log/history fi if [ ! -d /var/log/history/${LOGNAME} ]; then mkdir /var/log/history/${LOGNAME} chmod 300 /var/log/history/${LOGNAME} fi export HISTSIZE=4096 DT=`date +"%Y%m%d_%H:%M:%S"` export HISTFILE="/var/log/history/${LOGNAME}/${USER}@${USER_IP}_$DT" chmod 600 /var/log/history/${LOGNAME}/*history* 2>/dev/null
如:
[root@danny opt]# ls /var/log/history/root/ root@IP_20180914_13:35:45
2.sudo审计记录
echo "Defaults logfile=/var/log/sudo.log" >> /etc/sudoers
然后执行
[danny@x]$ sudo userdel -r jeck
可以看到记录日志
[root@x log]# cat /var/log/sudo.log Sep 14 14:09:19 : danny : TTY=pts/1 ; PWD=/root ; USER=root ; COMMAND=/sbin/userdel -r jeck