linux下行为记录监控

Linux下行为记录监控

基于Root用户设置

一、先修改ssh的日志级别 LogLevel VERBOSE # /etc/init.d/sshd restart

二、修改/root/.ssh/authorized_keys 的标识 # vim /root/.ssh/authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1R8pzN6JDu6m6Q//fZaM20cN5Jhx/w3t/2erKmYzclm919ND6bukTEILmYU06SLxRhtK62JwrcrkQrYqUznIN0NY3j7kr7mMP1vM18UrFakSHRRIzL1bwzNxlxMJ6bUaX8wXqer6ueP6vK8b5BYFvluqryQQyXZCppYVPOCcX1WBiOYP+bu+EMUFZ3iSoa5ha34J7ih6HdXm1KV7Ytxk7UVasZ3T9Iw/1CJknmQSehqe2PpQA3HWJGhHfEe+s2EywkRiAv7GC4X3HAkGdld5YAfmhp0jUE4h27RcsHhzFrOHT2AxMhpIZPqQz0lNCBOgN6x+qU2eVdbOfnszKFNxUQ== youboy@132 改成：

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1R8pzN6JDu6m6Q//fZaM20cN5Jhx/w3t/2erKmYzclm919ND6bukTEILmYU06SLxRhtK62JwrcrkQrYqUznIN0NY3j7kr7mMP1vM18UrFakSHRRIzL1bwzNxlxMJ6bUaX8wXqer6ueP6vK8b5BYFvluqryQQyXZCppYVPOCcX1WBiOYP+bu+EMUFZ3iSoa5ha34J7ih6HdXm1KV7Ytxk7UVasZ3T9Iw/1CJ

knmQSehqe2PpQA3HWJGhHfEe+s2EywkRiAv7GC4X3HAkGdld5YAfmhp0jUE4h27RcsHhzFrOHT2AxMhpIZPqQz0lNCBOgN6x+qU2eVdbOfnszKFNxUQ== youboytest

三、将log.sh放置于/etc/profile.d/下 [root@131 youboy]# cat log.sh #####################检测变量:

USER=`id -un`

if [ $USER == root ] then

LOG_DIR=\

FILE=\else

LOG_DIR=\

FILE=\fi

####生成key指纹函数 GEN_INFO() {

> $LOG_DIR/.user_key.info

while read LINE do

NAME=$(echo $LINE | awk '{print $3}') echo $LINE > $NAME

ssh-keygen -lf $NAME | awk '{print $2,$3}' >> $LOG_DIR/.user_key.info rm -fr $NAME done < $FILE }

#######获取登陆指纹与key指纹对比，获得用户名

PID=$(who -u am i | awk '{print $(NF-1)}')

PPid=$(grep -Po \

KEY=$( tail -100 /var/log/secure | grep \D{print f}')

if [ -f $LOG_DIR/.user_key.info ] then

if [ `grep $KEY $LOG_DIR/.user_key.info| cut -d' ' -f1` ] then

N_USER=$(grep $KEY $LOG_DIR/.user_key.info | awk '{print $2}') else GEN_INFO fi else

mkdir $LOG_DIR/

touch $LOG_DIR/.user_key.info GEN_INFO

if [ `grep $KEY $LOG_DIR/.user_key.info| cut -d' ' -f1` ] then

N_USER=$(grep $KEY $LOG_DIR/.user_key.info | awk '{print $2}') fi fi

###########定义日志记录

export HISTTIMEFORMAT=\

export HISTSIZE=4096

USER_IP=$(who -u am i | awk '{print $NF}') LOG_TIME=$(who -u am i | awk '{print $3,$4}') export HISTFILE=\

echo \\

四、查看原来的/etc/profile有没有定义日志文件，如果有定义则需注释掉 # cat /etc/profile | grep HISTFILE 五、执行

# sh -x /etc/profile.d/log.sh

看看能不能执行成功，如果不能执行成功，那就是脚本中定义的路径和实际使用的路径不同。如/var/log/secure这个一般是有ssh的安全日志的，但是有些却出现在/var/log/message中