How to record user’s IP and command by shell

Time:2020-3-5

Record the command entered

The history command can view the commands entered by the user. The output of a typical history command is as follows:


980 2017-05-29 20:17:37 cd -
981 2017-05-29 20:17:41 cat index.html
982 2017-05-29 20:20:11 vim index.html
983 2017-05-29 20:39:18 cd -
984 2017-05-29 20:39:25 cd /var/log/nginx/
985 2017-05-29 20:39:27 vim access.log
986 2017-05-29 20:50:10 netstat -ntlp
987 2017-05-31 11:04:39 tmux a -t0
988 2017-05-31 11:15:42 exit
989 2017-05-31 12:32:38 tmux a -t0

Record IP

In order to record the user’s IP address, you need to obtain the user’s login IP address first. Since the session will not be disconnected during user login, only one acquisition is required.

Get IP command:who am i | awk '{print $NF}' | sed -e 's/[()]//g'

Then follow[email protected] datetime command This requires setting the value of histtimeformat. Get IP and format command together:


IP=`who am i | awk '{print $NF}' | sed -e 's/[()]//g'`
export [email protected]$IP %F %T 

For the above commands to work for all users, write them to the / etc / profile file. After setting up (you may need to log in again, or usesourceCommand reload / etc / profile),historyThe command output is similar to the following:


412 [email protected] 2017-06-02 22:03:27 netstat -nt
414 [email protected]8.8.8.8 2017-06-02 22:03:38 netstat -ntpl
415 [email protected] 2017-06-03 14:17:09 history
416 [email protected] 2017-06-03 14:17:30 tmux ls
417 [email protected] 2017-06-03 14:17:34 tmux
418 [email protected] 2017-06-03 14:17:49 tmux a -t0

historyThe contents of the command are saved in the user’s~/.bash_historyIn the file, users can change or clear it at any time. In order to manage the command records of users uniformly, we hope that after the user executes the command, the executed command can be output to a file. To do this, you need the help of the prompt command environment variable.

Set prompt command to log the user’s last command to syslog:


export PROMPT_COMMAND="history 1 | logger -t cmd_log -p user.notice"

loggerCommand to output information to/var/log/messagesMedium. Enter any command, and then open / var / log / messages. You will see that it has been recorded. /Only root has access to the var / log / messages file, which achieves the purpose of recording user IP and commands.

If you are familiar with syslog, you can output the command log to a separate file. This needs to beloggerImperative-pOption, for examplelocal2.noticeAnd then edit / etc / rsyslog.conf to output the information of Local2 to a separate file:local2.* /var/log/command.log, and finally restart the rsyslog service.

With the above settings, you can log the user’s IP address, time and operation command without the user’s awareness.

For users, how to bypass? There are two ways:

  1. Write the command to the script and execute the script;
  2. Unset prompt? Command variable.

Reference resources

https://askubuntu.com/questions/93566/how-to-log-all-bash-commands-by-all-users-on-a-server

http://moper.me/ssh-audit-chats.html

http://zhu8337797.blog.163.com/blog/static/170617549201222912830483/

summary

The above is the whole content of this article. I hope that the content of this article can bring some help to your study or work. If you have any questions, you can leave a message and communicate with us. Thank you for your support for developpaer.

Recommended Today

Analysis of super comprehensive MySQL statement locking (Part 1)

A series of articles: Analysis of super comprehensive MySQL statement locking (Part 1) Analysis of super comprehensive MySQL statement locking (Part 2) Analysis of super comprehensive MySQL statement locking (Part 2) Preparation in advance Build a system to store heroes of the Three KingdomsheroTable: CREATE TABLE hero ( number INT, name VARCHAR(100), country varchar(100), PRIMARY […]