- 论坛徽章:
- 2
|
本帖最后由 damcool 于 2012-09-21 09:16 编辑
为了防止用户滥用root等敏感帐号,并且便于管理上追踪相应的sudo活动造成的问题。简单的根据/etc/bashrc的功能实现了帐号活动记录和存档的功能。下面列出一些实现的主要步骤:
- 首先,设置/etc/bashrc,在文件最后添加下列语句,用以建立帐号活动记录
- mkdir -p $HOME/.audit &>/dev/null
- export AUDIT_FILE=$HOME/.audit/$(who am i|awk '{printf("%s_%s_%s_%s.aud",$1,$2,$3,$4)}'|tr '/:' '-') &>/dev/null
- export PROMPT_COMMAND='(ts=`date "+[%Y%m%d %H:%M:%S]"` && cmd=$(echo ">>`history 1|{ read y x; echo -e "$x";}`<<@`who am i |awk \"{print \\$5}\"`") && lst_cmd=`tail -10 $AUDIT_FILE|grep "]"|tail -1|cut -d "]" -f 2-` && [[ "$lst_cmd" != "$cmd" ]] && echo "$ts$cmd") >> "$AUDIT_FILE"'
- 然后,创建目录/usr/local/admin/,创建如下脚本audit.sh
- #!/bin/bash
- ################################################################################
- # Note:
- # Please add below lines into /etc/bashrc first
- # mkdir -p $HOME/.audit &>/dev/null
- # export AUDIT_FILE=$HOME/.audit/$(who am i|awk '{printf("%s_%s_%s_%s.aud",$1,$2,$3,$4)}'|tr '/:' '-') &>/dev/null
- # export PROMPT_COMMAND='(ts=`date "+[%Y%m%d %H:%M:%S]"` && cmd=$(echo ">>`history 1|{ read y x; echo -e "$x";}`<<@`who am i |awk \"{print \\$5}\"`") && lst_cmd=`tail -10 $AUDIT_FILE|grep "]"|tail -1|cut -d "]" -f 2-` && [[ "$lst_cmd" != "$cmd" ]] && echo "$ts$cmd") >> "$AUDIT_FILE"'
- ################################################################################
- ################################################################################
- # Function Name: HELP_USAGE
- # Description: Function to display the usage of the script
- # Parameters: None
- # Return: Help messages
- # Called By: Script Main Loop->Script Parameters' Handler
- # History: 2012-SEP-17 Initial Edition RobinHoo
- ################################################################################
- function help_usage(){
- cat <<EOF
- Usage: $PROGNAME [OPTION]
- Audit files maintenance functions according to /etc/bashrc settings
- -a, --archive Archive the audit logging files older than 7 days and compress
- the archive file of last month as well as delete the archive
- over a year 365 days.
- -h, --help Show current help message of the script usages
-
- Notes:
-
- Please Report Script Bugs to $AUTHOR_MAIL
- EOF
- exit 1
- }
- ################################################################################
- # Function Name: ARCHIVE_LOGGING
- # Description: Function to archive the audit logging files
- # Parameters: None
- # Return: None
- # Called By: Script Main Loop->Script Parameters' Handler
- # History: 2012-SEP-17 Initial Edition RobinHoo
- ################################################################################
- function archive_logging(){
- local pwd_line
- local user_id
- local home_dir
- local tar_files
- local tar_file
- for pwd_line in $(cat /etc/passwd|tr ' ' '_'); do
- user_id=$(echo "$pwd_line"|awk -F ":" '{print $1}')
- home_dir=$(echo "$pwd_line"|awk -F ":" '{print $6}')
- if [ -d "$home_dir/.audit" ]; then
- cd $home_dir/.audit
- for tar_files in $(find -type f -name "*aud" -mtime +7 -exec basename {} \;); do
- tar_file="audit_"$(echo $tar_files|awk -F "_" '{print $3}'|cut -d "-" -f 1-2)".tar"
- [ -f "$tar_file" ] && tar -rf "$tar_file" $tar_files || tar -cf "$tar_file" $tar_files
- rm -f $tar_files &>/dev/null
- done
-
- find -type f -name "*tar" -mtime +31 | xargs -i basename {} | xargs -i bzip2 -zq9 {} &>/dev/null
-
- find -type f -name "*bz2" -mtime +365 | xargs -i basename {} | xargs -i rm -f {} &>/dev/null
-
- chown $user_id.$user_id *tar *bz2 &>/dev/null
- chmod 644 *tar *bz2 &>/dev/null
- fi
- done
- }
- ################################################################################
- # Function Name: Script Main Loop
- # History: 2012-SEP-16 Initial Edition RobinHoo
- ################################################################################
- BASE_DIR=$(cd "$(dirname "$0")" && pwd)
- PROGNAME=$(basename "$0")
- AUTHOR_MAIL="robin.hoo@pginw.com"
- ACRCHIVE=0
- HELP=0
- [ $# -eq 0 ] && help_usage
- while [ $# -gt 0 ]
- do
- case "$1" in
- (-a) ACRCHIVE=1;shift;break;;
- (-h) HELP=1;shift;break;;
- (--archive) ACRCHIVE=1;shift;break;;
- (--help) HELP=1;shift;break;;
- (*) echo "$PROGNAME: error - unrecognized option or parameter $1" 1>&2; HELP=1;break;;
- esac
- shift
- done
- [ $# -gt 0 ] && HELP=1
- [ $HELP -eq 1 ] && help_usage
- [ $ACRCHIVE -eq 1 ] && archive_logging && exit 0
- 最后,创建如下cron job负责定期归档审计记录文件
- 0 0 * * * sh /usr/local/admin/audit.sh --archive
|
|
免费注册
发表于 2012-09-19 13:20
发表于 2012-09-19 13:22
