|
 
- UID
- 1
- 帖子
- 263
- 精华
- 1
- 积分
- 62837
- 威望
- 218
- 金钱
- 125238
- 阅读权限
- 200
- 注册时间
- 2010-6-19
|
编译安装bash以打开bash_history的日志功能
默认情况下,bash history的日志记录功能取消的,为了监控每个用户的行为,将bash历史记录发送到日志服务器上,需要打开bash历史记录功能。
===一、下载最新版的bash源码包:===
- # wget http://ftp.gnu.org/gnu/bash/bash-4.1.tar.gz
- # tar zxf bash-4.1.tar.gz
- # cd bash-4.1
===二、修改源码===
- # vi config-top.h
- 找到下面一行:
- /*#define SYSLOG_HISTORY*/
- 去掉注释即可打开bash历史记录的日志记录功能:
- #define SYSLOG_HISTORY
- # vi +708 bashhist.c
- 在708和713行修改日志记录的格式:
- syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY: PID=%d USER=%s CMD=%s", getpid(), current_user.user_name, line);
- else
- {
- strncpy (trunc, line, SYSLOG_MAXLEN);
- trunc[SYSLOG_MAXLEN - 1] = '\0';
- syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY (TRUNCATED): PID=%d USER=%s CMD=%s", getpid(), current_user.user_name, trunc);
- }
===三、编译安装===
- # ./configure --prefix=/usr/local/bash-4.1
- # make && make install
===四、修改用户的shell===
- # usermod -s /usr/local/bash-4.1/bin/bash username
===五、查看bash历史记录日志===
- # tail /var/log/message
- Mar 28 16:18:48 www -bash: HISTORY: PID=15097 USER=root CMD=cd bash-4.1
- Mar 28 16:18:53 www -bash: HISTORY: PID=15097 USER=root CMD=vi bashhist.
- Mar 28 16:18:56 www -bash: HISTORY: PID=15097 USER=root CMD=vi bashhist.c
- Mar 28 16:21:12 www -bash: HISTORY: PID=15097 USER=root CMD=vi +708 bashhist.c
- Mar 28 16:27:35 www -bash: HISTORY: PID=15097 USER=root CMD=tail /var/log/messages
|
|
