介绍:
Rootsh is a wrapper for shells which logs all echoed keystrokes and terminal output to a file and/or to syslog. It's main purpose is the auditing of users who need a shell with root privileges. They start rootsh through the sudo mechanism.
Download Page:
普通用户在通过sudo /usr/local/rootsh/bin/rootsh -u root变更为root权限后,会将所有的操作指令和终端输出记录下来(如不指定,默认为/var/log/messages),在记录文件中会清晰表明是哪个普通用户变更权限到root。更多内容参考下载解压后的 INSTALL 自述文件
举例:
两个普通用户: dio 和 demo
/var/log/messages记录:
May 20 17:37:23 PHP_DEV_60 rootsh[07fc9]: dio: dio=root,/dev/pts/6: logging new session (rootsh[07fc9]) to /var/log/rootsh/dio.20100520173723.07fc9
May 20 17:37:27 PHP_DEV_60 rootsh[07fc9]: dio: 000: Password:
May 20 17:37:32 PHP_DEV_60 rootsh[07fc9]: dio: 001: [root@PHP_DEV_60 dio]# ls
May 20 17:37:35 PHP_DEV_60 rootsh[07fc9]: dio: 002: [root@PHP_DEV_60 dio]# pwd
May 20 17:37:35 PHP_DEV_60 rootsh[07fc9]: dio: 003: /home/dio
May 20 17:37:50 PHP_DEV_60 rootsh[07f37]: demo: 010: [root@PHP_DEV_60 www]# pwd
May 20 17:37:50 PHP_DEV_60 rootsh[07f37]: demo: 011: /var/www
May 20 17:37:53 PHP_DEV_60 rootsh[07f37]: demo: 012: [root@PHP_DEV_60 www]# ls
May 20 17:37:53 PHP_DEV_60 rootsh[07f37]: demo: 013: icons maven www.jboss.com
May 20 17:37:53 PHP_DEV_60 rootsh[07f37]: demo: 014: index.php test
|
在log中可以看到:
- dio用户通过/usr/local/rootsh/bin/rootsh -u root变更为root后,执行了ls和pwd指令后,终端输出为/home/dio
- demo用户执行了ls指令后,记录终端打印当前目录下的文件列表
阅读(2236) | 评论(0) | 转发(0) |