Chinaunix首页 | 论坛 | 博客
  • 博客访问: 2075997
  • 博文数量: 354
  • 博客积分: 4955
  • 博客等级: 上校
  • 技术积分: 4579
  • 用 户 组: 普通用户
  • 注册时间: 2009-07-21 11:46
文章分类

全部博文(354)

文章存档

2015年(1)

2013年(4)

2012年(86)

2011年(115)

2010年(67)

2009年(81)

我的朋友

分类: LINUX

2012-08-23 11:30:34

这个系统审计,就是在系统级别,记录什么用户,在什么时间,做了什么操作。 然后将查到的信息记录到一个文件里。

 

 

. 审计配置

1. /etc/profile 文件的最后,添加如下2行代码:

export HISTORY_FILE=/var/log/audit.log

export PROMPT_COMMAND='{ z=$(history 1 | { read x y; echo -e "$x --- $y"; });a=`who am i | awk "{print //$1/" /"//$2/" /"//$6}"`;c=`echo $z | awk "{print $1}"`;if [[ `grep "$a /-/-/- $c" $HISTORY_FILE` = "" ]];then echo -e $(date "+%Y-%m-%d_%H:%M:%S") --- $a --- $z;fi;} >> $HISTORY_FILE'

 

 

说明:

        /etc/profile: 此文件为系统的每个用户设置环境信息,当用户第一次登录时,该文件被执行.并从/etc/profile.d目录的配置文件中搜集shell的设置.

 


 

这个代码其实就是把一些显示的信息导入到audit.log 文件。

>> : 追加到文件的最后

> : 覆盖原文件

 

[root@ db2 ~]# date "+%Y-%m-%d_%H:%M:%S"

2011-03-04_14:16:12

[root@ db2 ~]# who am i                                   

root     pts/1        Mar  4 13:14 (192.168.3.115)

[root@ db2 ~]# who am i | awk "{print /$1/" /"/$2/" /"/$6}" 

root pts/1 (192.168.3.115)

 

 

2. 创建保存审计信息的文件并赋权

[root@ db2 ~]# touch /var/log/audit.log

[root@ db2 ~]# chmod 777 /var/log/audit.log

 

       audit.log 是所有用户都可以往里面写信息,所以所有用户都可以修改这个文件。 关于777 赋权这块如果有不清楚的,参考我的Blog

       Linux chmod 命令 详解

       http://blog.csdn.net/tianlesoftware/archive/2011/02/24/6204412.aspx

 

 

.  验证

[root@db2 ~]# cat /var/log/audit.log

2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit

[root@db2 ~]# cat /var/log/audit.log

2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit

2011-03-04_13:59:27 --- root pts/2 (192.168.3.115) --- 431 --- cat /var/log/audit.log

[root@db2 ~]# su - oracle

[oracle@db2 ~]$ cat /var/log/audit.log

2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit

2011-03-04_13:59:27 --- root pts/2 (192.168.3.115) --- 431 --- cat /var/log/audit.log

2011-03-04_13:59:30 --- root pts/2 (192.168.3.115) --- 432 --- cat /var/log/audit.log

2011-03-04_13:59:35 --- root pts/2 (192.168.3.115) --- 200 --- exit

[oracle@db2 ~]$ cat /var/log/audit.log

2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit

2011-03-04_13:59:27 --- root pts/2 (192.168.3.115) --- 431 --- cat /var/log/audit.log

2011-03-04_13:59:30 --- root pts/2 (192.168.3.115) --- 432 --- cat /var/log/audit.log

2011-03-04_13:59:35 --- root pts/2 (192.168.3.115) --- 200 --- exit

2011-03-04_13:59:43 --- root pts/2 (192.168.3.115) --- 201 --- cat /var/log/audit.log

[oracle@db2 ~]$ cd $ORACLE_HOME

[oracle@db2 db_1]$ cat /var/log/audit.log

2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit

2011-03-04_13:59:27 --- root pts/2 (192.168.3.115) --- 431 --- cat /var/log/audit.log

2011-03-04_13:59:30 --- root pts/2 (192.168.3.115) --- 432 --- cat /var/log/audit.log

2011-03-04_13:59:35 --- root pts/2 (192.168.3.115) --- 200 --- exit

2011-03-04_13:59:43 --- root pts/2 (192.168.3.115) --- 201 --- cat /var/log/audit.log

2011-03-04_13:59:46 --- root pts/2 (192.168.3.115) --- 202 --- cat /var/log/audit.log

2011-03-04_13:59:55 --- root pts/2 (192.168.3.115) --- 203 --- cd $ORACLE_HOME

[oracle@db2 db_1]$ cat /var/log/audit.log

2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit

2011-03-04_13:59:27 --- root pts/2 (192.168.3.115) --- 431 --- cat /var/log/audit.log

2011-03-04_13:59:30 --- root pts/2 (192.168.3.115) --- 432 --- cat /var/log/audit.log

2011-03-04_13:59:35 --- root pts/2 (192.168.3.115) --- 200 --- exit

2011-03-04_13:59:43 --- root pts/2 (192.168.3.115) --- 201 --- cat /var/log/audit.log

2011-03-04_13:59:46 --- root pts/2 (192.168.3.115) --- 202 --- cat /var/log/audit.log

2011-03-04_13:59:55 --- root pts/2 (192.168.3.115) --- 203 --- cd $ORACLE_HOME

2011-03-04_13:59:57 --- root pts/2 (192.168.3.115) --- 204 --- cat /var/log/audit.log

2011-03-04_14:00:46 --- root pts/4 (192.168.3.115) --- 430 --- exit

2011-03-04_14:01:09 --- oracle pts/4 (192.168.3.115) --- 200 --- exit

 

说明:

       这里记录的用户信息,是用户第一次连接的的用户,如:我用用户A连接到服务器,那么记录的是A用户的操作。 假设这个时候我用su 切换到用户B,这时记录的还是用户A

阅读(1448) | 评论(0) | 转发(0) |
0

上一篇:shell 计算

下一篇:screen使用

给主人留下些什么吧!~~