辽宁省人事考试网首页:Linux 系统 审计 脚本

这个系统审计，就是在系统级别，记录什么用户，在什么时间，做了什么操作。 然后将查到的信息记录到一个文件里。   一. 审计配置1. 在/etc/profile 文件的最后，添加如下2行代码：export HISTORY_FILE=/var/log/audit.logexport PROMPT_COMMAND='{ z=$(history 1 | { read x y; echo -e "$x --- $y"; });a=`who am i | awk "{print \\$1\" \"\\$2\" \"\\$6}"`;c=`echo $z | awk "{print $1}"`;if [[ `grep "$a \-\-\- $c" $HISTORY_FILE` = "" ]];then echo -e $(date "+%Y-%m-%d_%H:%M:%S") --- $a --- $z;fi;} >> $HISTORY_FILE'  说明：        /etc/profile: 此文件为系统的每个用户设置环境信息,当用户第一次登录时,该文件被执行.并从/etc/profile.d目录的配置文件中搜集shell的设置. 具体参考：       .bash_profile 和 .bashrc 区别       http://blog.csdn.net/tianlesoftware/archive/2010/11/04/5986506.aspx 这个代码其实就是把一些显示的信息导入到audit.log 文件。 >> : 追加到文件的最后> : 覆盖原文件 [root@ db2 ~]# date "+%Y-%m-%d_%H:%M:%S"2011-03-04_14:16:12[root@ db2 ~]# who am i                                    root     pts/1        Mar  4 13:14 (192.168.3.115)[root@ db2 ~]# who am i | awk "{print \$1\" \"\$2\" \"\$6}"  root pts/1 (192.168.3.115)  2. 创建保存审计信息的文件并赋权[root@ db2 ~]# touch /var/log/audit.log[root@ db2 ~]# chmod 777 /var/log/audit.log        audit.log 是所有用户都可以往里面写信息，所以所有用户都可以修改这个文件。 关于777 赋权这块如果有不清楚的，参考我的Blog：       Linux chmod 命令 详解       http://blog.csdn.net/tianlesoftware/archive/2011/02/24/6204412.aspx  二.  验证[root@db2 ~]# cat /var/log/audit.log 2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit[root@db2 ~]# cat /var/log/audit.log 2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit2011-03-04_13:59:27 --- root pts/2 (192.168.3.115) --- 431 --- cat /var/log/audit.log[root@db2 ~]# su - oracle[oracle@db2 ~]$ cat /var/log/audit.log 2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit2011-03-04_13:59:27 --- root pts/2 (192.168.3.115) --- 431 --- cat /var/log/audit.log2011-03-04_13:59:30 --- root pts/2 (192.168.3.115) --- 432 --- cat /var/log/audit.log2011-03-04_13:59:35 --- root pts/2 (192.168.3.115) --- 200 --- exit[oracle@db2 ~]$ cat /var/log/audit.log 2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit2011-03-04_13:59:27 --- root pts/2 (192.168.3.115) --- 431 --- cat /var/log/audit.log2011-03-04_13:59:30 --- root pts/2 (192.168.3.115) --- 432 --- cat /var/log/audit.log2011-03-04_13:59:35 --- root pts/2 (192.168.3.115) --- 200 --- exit2011-03-04_13:59:43 --- root pts/2 (192.168.3.115) --- 201 --- cat /var/log/audit.log[oracle@db2 ~]$ cd $ORACLE_HOME[oracle@db2 db_1]$ cat /var/log/audit.log 2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit2011-03-04_13:59:27 --- root pts/2 (192.168.3.115) --- 431 --- cat /var/log/audit.log2011-03-04_13:59:30 --- root pts/2 (192.168.3.115) --- 432 --- cat /var/log/audit.log2011-03-04_13:59:35 --- root pts/2 (192.168.3.115) --- 200 --- exit2011-03-04_13:59:43 --- root pts/2 (192.168.3.115) --- 201 --- cat /var/log/audit.log2011-03-04_13:59:46 --- root pts/2 (192.168.3.115) --- 202 --- cat /var/log/audit.log2011-03-04_13:59:55 --- root pts/2 (192.168.3.115) --- 203 --- cd $ORACLE_HOME[oracle@db2 db_1]$ cat /var/log/audit.log 2011-03-04_13:59:20 --- root pts/2 (192.168.3.115) --- 430 --- exit2011-03-04_13:59:27 --- root pts/2 (192.168.3.115) --- 431 --- cat /var/log/audit.log2011-03-04_13:59:30 --- root pts/2 (192.168.3.115) --- 432 --- cat /var/log/audit.log2011-03-04_13:59:35 --- root pts/2 (192.168.3.115) --- 200 --- exit2011-03-04_13:59:43 --- root pts/2 (192.168.3.115) --- 201 --- cat /var/log/audit.log2011-03-04_13:59:46 --- root pts/2 (192.168.3.115) --- 202 --- cat /var/log/audit.log2011-03-04_13:59:55 --- root pts/2 (192.168.3.115) --- 203 --- cd $ORACLE_HOME2011-03-04_13:59:57 --- root pts/2 (192.168.3.115) --- 204 --- cat /var/log/audit.log2011-03-04_14:00:46 --- root pts/4 (192.168.3.115) --- 430 --- exit2011-03-04_14:01:09 --- oracle pts/4 (192.168.3.115) --- 200 --- exit 说明：        这里记录的用户信息，是用户第一次连接的的用户，如：我用用户A连接到服务器，那么记录的是A用户的操作。 假设这个时候我用su 切换到用户B，这时记录的还是用户A。   本文来自CSDN博客，转载请标明出处：http://blog.csdn.net/tianlesoftware/archive/2011/03/04/6223211.aspx