原文链接:https://wiki.shileizcc.com/confluence/pages/viewpage.action?pageId=38240384
- 创建一个审计日志文件
$ mkdir /var/log/shell_audit
$ touch /var/log/shell_audit/audit.log
- 将日志文件所有者赋予一个最低权限的用户
$ addgroup nobody
$ chown nobody:nobody /var/log/shell_audit/audit.log
- 给该日志文件赋予所有人的写权限
$ chmod 002 /var/log/shell_audit/audit.log
- 设置文件权限,使所有用户对该文件只有追加权限
$ chattr +a /var/log/shell_audit/audit.log
- 写入
/etc/profile.d/audit.sh
文件内容:
HISTSIZE=2048
HISTTIMEFORMAT="%Y/%m/%d %T ";export HISTTIMEFORMAT
export HISTORY_FILE=/var/log/shell_audit/audit.log
export PROMPT_COMMAND=‘{ code=$?;thisHistID=`history 1|awk "{print \\$1}"`;lastCommand=`history 1| awk "{\\$1=\"\" ;print}"`;user=`id -un`;whoStr=(`who -u am i`);realUser=${whoStr[0]};logDay=${whoStr[2]};logTime=${whoStr[3]};pid=${whoStr[5]};ip=${whoStr[6]};if [ ${thisHistID}x != ${lastHistID}x ];then echo -E `date "+%Y/%m/%d %H:%M:%S"` $user\($realUser\)@$ip[PID:$pid][LOGIN:$logDay $logTime] --- [$PWD]$lastCommand [$code];lastHistID=$thisHistID;fi; } >> $HISTORY_FILE‘
- 重新登入系统后查看 log 后即可看到结果:
2021/07/27 16:11:44 appadmin(appadmin)@(192.168.168.82)[PID:13368][LOGIN:2021-07-27 16:11] --- [/home/appadmin] 2021/07/27 16:11:44 ls -al [0]
2021/07/27 16:11:54 root(appadmin)@(192.168.168.82)[PID:13368][LOGIN:2021-07-27 16:11] --- [/root] 2021/07/27 16:11:54 exit [0]
2021/07/27 16:11:57 root(appadmin)@(192.168.168.82)[PID:13368][LOGIN:2021-07-27 16:11] --- [/var/log/audit] 2021/07/27 16:11:57 cd /var/log/audit/ [0]
2021/07/27 16:11:58 root(appadmin)@(192.168.168.82)[PID:13368][LOGIN:2021-07-27 16:11] --- [/var/log/audit] 2021/07/27 16:11:58 ls [0]
2021/07/27 16:11:58 root(appadmin)@(192.168.168.82)[PID:13368][LOGIN:2021-07-27 16:11] --- [/var/log/audit] 2021/07/27 16:11:58 ls -al [0]
2021/07/27 16:12:12 root(appadmin)@(192.168.168.82)[PID:13368][LOGIN:2021-07-27 16:11] --- [/var/log/audit] 2021/07/27 16:12:01 tail -f audit.log [130]
2021/07/27 16:12:22 root(appadmin)@(192.168.168.82)[PID:13368][LOGIN:2021-07-27 16:11] --- [/var/log/audit] 2021/07/27 16:12:22 cd /var/log/shell_audit/audit [1]
2021/07/27 16:12:24 root(appadmin)@(192.168.168.82)[PID:13368][LOGIN:2021-07-27 16:11] --- [/var/log/shell_audit] 2021/07/27 16:12:24 cd /var/log/shell_audit/ [0]
2021/07/27 16:12:25 root(appadmin)@(192.168.168.82)[PID:13368][LOGIN:2021-07-27 16:11] --- [/var/log/shell_audit] 2021/07/27 16:12:25 ls [0]
2021/07/27 16:12:26 root(appadmin)@(192.168.168.82)[PID:13368][LOGIN:2021-07-27 16:11] --- [/var/log/shell_audit] 2021/07/27 16:12:26 ls -al [0]
- Json 输出格式:
HISTSIZE=2048
HISTTIMEFORMAT="%Y/%m/%d %T ---- ";export HISTTIMEFORMAT
export HISTORY_FILE=/var/log/shell_audit/audit.log
export PROMPT_COMMAND=‘{ code=$?;thisHistID=`history 1|awk "{print \\$1}"`;lastCommand=`history 1| awk "{\\$1=\"\" ;print}" |awk -F ---- "{print \\$2}" |sed -e "s@^[ \t]*@@g"`;lastCommandTime=`history 1| awk "{\\$1=\"\" ;print}" |awk -F ---- "{print \\$1}"|sed -e "s/^[ \t]*//g" -e "s/[ \t]*$//g"`;user=`id -un`;whoStr=(`who -u am i`);realUser=${whoStr[0]};logDay=${whoStr[2]};logTime=${whoStr[3]};pid=${whoStr[5]};ip=`echo ${whoStr[6]}| sed -e "s/[(|)]*//g"`;if [ ${thisHistID}x != ${lastHistID}x ];then echo -E \{ \"@timestamp\": \"`date "+%Y/%m/%d %H:%M:%S"`\", \"CurrentUser\": \"$user\", \"LoginUser\": \"$realUser\", \"LoginAddress\": \"$ip\", \"PID\": \"$pid\", \"LoginTime\": \"$logDay $logTime\", \"ExecutionDirectory\": \"$PWD\", \"ShellCommand\": \"$lastCommand\", \"ShellCommandTime\": \"$lastCommandTime\", \"ExitCode\": \"$code\" \};lastHistID=$thisHistID;fi; } >> $HISTORY_FILE‘
- log内容
{ "@timestamp": "2021/07/27 16:17:12", "CurrentUser": "appadmin", "LoginUser": "appadmin", "LoginAddress": "192.168.168.82", "PID": "13931", "LoginTime": "2021-07-27 16:17", "ExecutionDirectory": "/home/appadmin", "ShellCommand": "exit", "ShellCommandTime": "2021/07/27 16:17:10", "ExitCode": "0" }
{ "@timestamp": "2021/07/27 16:17:15", "CurrentUser": "root", "LoginUser": "appadmin", "LoginAddress": "192.168.168.82", "PID": "13931", "LoginTime": "2021-07-27 16:17", "ExecutionDirectory": "/root", "ShellCommand": "exit", "ShellCommandTime": "2021/07/27 16:17:09", "ExitCode": "0" }
{ "@timestamp": "2021/07/27 16:17:16", "CurrentUser": "root", "LoginUser": "appadmin", "LoginAddress": "192.168.168.82", "PID": "13931", "LoginTime": "2021-07-27 16:17", "ExecutionDirectory": "/root", "ShellCommand": "ls -al", "ShellCommandTime": "2021/07/27 16:17:16", "ExitCode": "0" }
{ "@timestamp": "2021/07/27 16:17:19", "CurrentUser": "root", "LoginUser": "appadmin", "LoginAddress": "192.168.168.82", "PID": "13931", "LoginTime": "2021-07-27 16:17", "ExecutionDirectory": "/root", "ShellCommand": "top", "ShellCommandTime": "2021/07/27 16:17:18", "ExitCode": "0" }
{ "@timestamp": "2021/07/27 16:17:24", "CurrentUser": "root", "LoginUser": "appadmin", "LoginAddress": "192.168.168.82", "PID": "13931", "LoginTime": "2021-07-27 16:17", "ExecutionDirectory": "/root", "ShellCommand": "ps -ef | grep docker", "ShellCommandTime": "2021/07/27 16:17:24", "ExitCode": "0" }