Chinaunix首页 | 论坛 | 博客
  • 博客访问: 10222897
  • 博文数量: 1669
  • 博客积分: 16831
  • 博客等级: 上将
  • 技术积分: 12594
  • 用 户 组: 普通用户
  • 注册时间: 2011-02-25 07:23
个人简介

柔中带刚,刚中带柔,淫荡中富含柔和,刚猛中荡漾风骚,无坚不摧,无孔不入!

文章分类

全部博文(1669)

文章存档

2023年(4)

2022年(1)

2021年(10)

2020年(24)

2019年(4)

2018年(19)

2017年(66)

2016年(60)

2015年(49)

2014年(201)

2013年(221)

2012年(638)

2011年(372)

分类: LINUX

2011-12-05 10:56:58

Linux 系统 审计 脚本
分类: Linux 401人阅读 评论(0) 举报

 

       这个系统审计,就是在系统级别,记录什么用户,在什么时间,做了什么操作。 然后将查到的信息记录到一个文件里。

 

 

. 审计配置

1. /etc/profile 文件的最后,添加如下2行代码:

export HISTORY_FILE=/var/log/audit.log

export PROMPT_COMMAND='{ z=$(history 1 | { read x y; echo -e "$x --- $y"; });a=`who am i | awk "{print //$1/" /"//$2/" /"//$6}"`;c=`echo $z | awk "{print $1}"`;if [[ `grep "$a /-/-/- $c" $HISTORY_FILE` = "" ]];then echo -e $(date "+%Y-%m-%d_%H:%M:%S") --- $a --- $z;fi;} >> $HISTORY_FILE'

 

 

说明:

        /etc/profile: 此文件为系统的每个用户设置环境信息,当用户第一次登录时,该文件被执行.并从/etc/profile.d目录的配置文件中搜集shell的设置.

 

具体参考:

       .bash_profile .bashrc 区别

       http://blog.csdn.net/tianlesoftware/archive/2010/11/04/5986506.aspx

 

这个代码其实就是把一些显示的信息导入到audit.log 文件。

>> : 追加到文件的最后

> : 覆盖原文件

 

[root@ db2 ~]# date "+%Y-%m-%d_%H:%M:%S"

2011-03-04_14:16:12

[root@ db2 ~]# who am i                                   

root     pts/1        Mar  4 13:14 (192.168.3.115)

[root@ db2 ~]# who am i | awk "{print /$1/" /"/$2/" /"/$6}" 

root pts/1 (192.168.3.115)

 

 

2. 创建保存审计信息的文件并赋权

[root@ db2 ~]# touch /var/log/audit.log

[root@ db2 ~]# chmod 777 /var/log/audit.log

 

       audit.log 是所有用户都可以往里面写信息,所以所有用户都可以修改这个文件。 关于777 赋权这块如果有不清楚的,参考我的Blog

       Linux chmod 命令 详解

       http://blog.csdn.net/tianlesoftware/archive/2011/02/24/6204412.aspx

 

 

.  验证

[root@db2 ~]# cat /var/log/audit.log

2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit

[root@db2 ~]# cat /var/log/audit.log

2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit

2011-03-04_13:59:27 --- root pts/2 (192.168.3.115) --- 431 --- cat /var/log/audit.log

[root@db2 ~]# su - oracle

[oracle@db2 ~]$ cat /var/log/audit.log

2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit

2011-03-04_13:59:27 --- root pts/2 (192.168.3.115) --- 431 --- cat /var/log/audit.log

2011-03-04_13:59:30 --- root pts/2 (192.168.3.115) --- 432 --- cat /var/log/audit.log

2011-03-04_13:59:35 --- root pts/2 (192.168.3.115) --- 200 --- exit

[oracle@db2 ~]$ cat /var/log/audit.log

2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit

2011-03-04_13:59:27 --- root pts/2 (192.168.3.115) --- 431 --- cat /var/log/audit.log

2011-03-04_13:59:30 --- root pts/2 (192.168.3.115) --- 432 --- cat /var/log/audit.log

2011-03-04_13:59:35 --- root pts/2 (192.168.3.115) --- 200 --- exit

2011-03-04_13:59:43 --- root pts/2 (192.168.3.115) --- 201 --- cat /var/log/audit.log

[oracle@db2 ~]$ cd $ORACLE_HOME

[oracle@db2 db_1]$ cat /var/log/audit.log

2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit

2011-03-04_13:59:27 --- root pts/2 (192.168.3.115) --- 431 --- cat /var/log/audit.log

2011-03-04_13:59:30 --- root pts/2 (192.168.3.115) --- 432 --- cat /var/log/audit.log

2011-03-04_13:59:35 --- root pts/2 (192.168.3.115) --- 200 --- exit

2011-03-04_13:59:43 --- root pts/2 (192.168.3.115) --- 201 --- cat /var/log/audit.log

2011-03-04_13:59:46 --- root pts/2 (192.168.3.115) --- 202 --- cat /var/log/audit.log

2011-03-04_13:59:55 --- root pts/2 (192.168.3.115) --- 203 --- cd $ORACLE_HOME

[oracle@db2 db_1]$ cat /var/log/audit.log

2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit

2011-03-04_13:59:27 --- root pts/2 (192.168.3.115) --- 431 --- cat /var/log/audit.log

2011-03-04_13:59:30 --- root pts/2 (192.168.3.115) --- 432 --- cat /var/log/audit.log

2011-03-04_13:59:35 --- root pts/2 (192.168.3.115) --- 200 --- exit

2011-03-04_13:59:43 --- root pts/2 (192.168.3.115) --- 201 --- cat /var/log/audit.log

2011-03-04_13:59:46 --- root pts/2 (192.168.3.115) --- 202 --- cat /var/log/audit.log

2011-03-04_13:59:55 --- root pts/2 (192.168.3.115) --- 203 --- cd $ORACLE_HOME

2011-03-04_13:59:57 --- root pts/2 (192.168.3.115) --- 204 --- cat /var/log/audit.log

2011-03-04_14:00:46 --- root pts/4 (192.168.3.115) --- 430 --- exit

2011-03-04_14:01:09 --- oracle pts/4 (192.168.3.115) --- 200 --- exit

 

说明:

       这里记录的用户信息,是用户第一次连接的的用户,如:我用用户A连接到服务器,那么记录的是A用户的操作。 假设这个时候我用su 切换到用户B,这时记录的还是用户A

 

 

 

 

阅读(723) | 评论(0) | 转发(1) |
给主人留下些什么吧!~~