ICode9

精准搜索请尝试: 精确搜索
首页 > 其他分享> 文章详细

SSH 用户操作审计

2021-08-01 11:02:18  阅读:234  来源: 互联网

标签:审计 audit 27 07 16 log 用户 SSH 2021


原文链接:https://wiki.shileizcc.com/confluence/pages/viewpage.action?pageId=38240384

  • 创建一个审计日志文件
$ mkdir /var/log/shell_audit
$ touch /var/log/shell_audit/audit.log
  • 将日志文件所有者赋予一个最低权限的用户
$ addgroup nobody
$ chown nobody:nobody /var/log/shell_audit/audit.log
  • 给该日志文件赋予所有人的写权限
$ chmod 002 /var/log/shell_audit/audit.log
  • 设置文件权限,使所有用户对该文件只有追加权限
$ chattr +a /var/log/shell_audit/audit.log
  • 写入/etc/profile.d/audit.sh文件内容:
HISTSIZE=2048
HISTTIMEFORMAT="%Y/%m/%d %T   ";export HISTTIMEFORMAT
export HISTORY_FILE=/var/log/shell_audit/audit.log
export PROMPT_COMMAND='{ code=$?;thisHistID=`history 1|awk "{print \\$1}"`;lastCommand=`history 1| awk "{\\$1=\"\" ;print}"`;user=`id -un`;whoStr=(`who -u am i`);realUser=${whoStr[0]};logDay=${whoStr[2]};logTime=${whoStr[3]};pid=${whoStr[5]};ip=${whoStr[6]};if [ ${thisHistID}x != ${lastHistID}x ];then echo -E `date "+%Y/%m/%d %H:%M:%S"` $user\($realUser\)@$ip[PID:$pid][LOGIN:$logDay $logTime] --- [$PWD]$lastCommand [$code];lastHistID=$thisHistID;fi; } >> $HISTORY_FILE'
  • 重新登入系统后查看 log 后即可看到结果:
2021/07/27 16:11:44 appadmin(appadmin)@(192.168.168.82)[PID:13368][LOGIN:2021-07-27 16:11] --- [/home/appadmin] 2021/07/27 16:11:44 ls -al [0]
2021/07/27 16:11:54 root(appadmin)@(192.168.168.82)[PID:13368][LOGIN:2021-07-27 16:11] --- [/root] 2021/07/27 16:11:54 exit [0]
2021/07/27 16:11:57 root(appadmin)@(192.168.168.82)[PID:13368][LOGIN:2021-07-27 16:11] --- [/var/log/audit] 2021/07/27 16:11:57 cd /var/log/audit/ [0]
2021/07/27 16:11:58 root(appadmin)@(192.168.168.82)[PID:13368][LOGIN:2021-07-27 16:11] --- [/var/log/audit] 2021/07/27 16:11:58 ls [0]
2021/07/27 16:11:58 root(appadmin)@(192.168.168.82)[PID:13368][LOGIN:2021-07-27 16:11] --- [/var/log/audit] 2021/07/27 16:11:58 ls -al [0]
2021/07/27 16:12:12 root(appadmin)@(192.168.168.82)[PID:13368][LOGIN:2021-07-27 16:11] --- [/var/log/audit] 2021/07/27 16:12:01 tail -f audit.log [130]
2021/07/27 16:12:22 root(appadmin)@(192.168.168.82)[PID:13368][LOGIN:2021-07-27 16:11] --- [/var/log/audit] 2021/07/27 16:12:22 cd /var/log/shell_audit/audit [1]
2021/07/27 16:12:24 root(appadmin)@(192.168.168.82)[PID:13368][LOGIN:2021-07-27 16:11] --- [/var/log/shell_audit] 2021/07/27 16:12:24 cd /var/log/shell_audit/ [0]
2021/07/27 16:12:25 root(appadmin)@(192.168.168.82)[PID:13368][LOGIN:2021-07-27 16:11] --- [/var/log/shell_audit] 2021/07/27 16:12:25 ls [0]
2021/07/27 16:12:26 root(appadmin)@(192.168.168.82)[PID:13368][LOGIN:2021-07-27 16:11] --- [/var/log/shell_audit] 2021/07/27 16:12:26 ls -al [0]
  • Json 输出格式:
HISTSIZE=2048
HISTTIMEFORMAT="%Y/%m/%d %T ---- ";export HISTTIMEFORMAT
 
export HISTORY_FILE=/var/log/shell_audit/audit.log
export PROMPT_COMMAND='{ code=$?;thisHistID=`history 1|awk "{print \\$1}"`;lastCommand=`history 1| awk "{\\$1=\"\" ;print}" |awk -F ---- "{print \\$2}" |sed -e "s@^[ \t]*@@g"`;lastCommandTime=`history 1| awk "{\\$1=\"\" ;print}" |awk -F ---- "{print \\$1}"|sed -e "s/^[ \t]*//g" -e "s/[ \t]*$//g"`;user=`id -un`;whoStr=(`who -u am i`);realUser=${whoStr[0]};logDay=${whoStr[2]};logTime=${whoStr[3]};pid=${whoStr[5]};ip=`echo ${whoStr[6]}| sed -e "s/[(|)]*//g"`;if [ ${thisHistID}x != ${lastHistID}x ];then echo -E \{ \"@timestamp\": \"`date "+%Y/%m/%d %H:%M:%S"`\", \"CurrentUser\": \"$user\", \"LoginUser\": \"$realUser\", \"LoginAddress\": \"$ip\", \"PID\": \"$pid\", \"LoginTime\": \"$logDay $logTime\",  \"ExecutionDirectory\": \"$PWD\", \"ShellCommand\": \"$lastCommand\", \"ShellCommandTime\": \"$lastCommandTime\", \"ExitCode\": \"$code\" \};lastHistID=$thisHistID;fi; } >> $HISTORY_FILE'
  • log内容
{ "@timestamp": "2021/07/27 16:17:12", "CurrentUser": "appadmin", "LoginUser": "appadmin", "LoginAddress": "192.168.168.82", "PID": "13931", "LoginTime": "2021-07-27 16:17", "ExecutionDirectory": "/home/appadmin", "ShellCommand": "exit", "ShellCommandTime": "2021/07/27 16:17:10", "ExitCode": "0" }
{ "@timestamp": "2021/07/27 16:17:15", "CurrentUser": "root", "LoginUser": "appadmin", "LoginAddress": "192.168.168.82", "PID": "13931", "LoginTime": "2021-07-27 16:17", "ExecutionDirectory": "/root", "ShellCommand": "exit", "ShellCommandTime": "2021/07/27 16:17:09", "ExitCode": "0" }
{ "@timestamp": "2021/07/27 16:17:16", "CurrentUser": "root", "LoginUser": "appadmin", "LoginAddress": "192.168.168.82", "PID": "13931", "LoginTime": "2021-07-27 16:17", "ExecutionDirectory": "/root", "ShellCommand": "ls -al", "ShellCommandTime": "2021/07/27 16:17:16", "ExitCode": "0" }
{ "@timestamp": "2021/07/27 16:17:19", "CurrentUser": "root", "LoginUser": "appadmin", "LoginAddress": "192.168.168.82", "PID": "13931", "LoginTime": "2021-07-27 16:17", "ExecutionDirectory": "/root", "ShellCommand": "top", "ShellCommandTime": "2021/07/27 16:17:18", "ExitCode": "0" }
{ "@timestamp": "2021/07/27 16:17:24", "CurrentUser": "root", "LoginUser": "appadmin", "LoginAddress": "192.168.168.82", "PID": "13931", "LoginTime": "2021-07-27 16:17", "ExecutionDirectory": "/root", "ShellCommand": "ps -ef | grep docker", "ShellCommandTime": "2021/07/27 16:17:24", "ExitCode": "0" }

标签:审计,audit,27,07,16,log,用户,SSH,2021
来源: https://www.cnblogs.com/Li-DevOps/p/15086185.html

本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享;
2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关;
3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关;
4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除;
5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。

专注分享技术,共同学习,共同进步。侵权联系[81616952@qq.com]

Copyright (C)ICode9.com, All Rights Reserved.

ICode9版权所有