Home >Operation and Maintenance >Linux Operation and Maintenance >How to use the linux shell historical command recording function

How to use the linux shell historical command recording function

WBOY
WBOYforward
2023-05-12 13:19:181814browse

Under Linux, you can use the history command to view all historical operations of the user. At the same time, the shell command operation records are saved in the .bash_history file in the user directory by default. Through this file, you can query the execution history of shell commands, which helps operation and maintenance personnel conduct system audits and troubleshooting. At the same time, after the server is attacked by a hacker, you can also query the historical command operations of hackers logging into the server. However, after hackers invade, in order to erase traces, they will delete the .bash_history file. This requires a reasonable backup of this file.

The default history command can only view the user's historical operation records, but cannot distinguish the time when each user operated the command. This is quite inconvenient for troubleshooting. The solution is to add the following four lines to the /etc/bashrc file to allow the history command to automatically record the execution time of all shell commands:

Copy the code The code is as follows:

histfilesize=4000
histsize=4000
histtimeformat='%f %t'
export histtimeformat

histfilesize represents the total number of records to save commands in the .bash_history file. The default value is 1000; histsize Defines the total number of records output by the history command; histtimeformat defines the time display format, which is the same as ""%f %t"" after the date command; histtimeformat is used as the time variable of history to pass the value to the history command.

Advanced Tips

Although the above one can record time, it cannot be used for audit purposes and can easily be tampered with or lost by hackers. The following method records in detail the users who have logged in to the system, IP addresses, shell commands, and detailed operation times. And save this information in the form of files in a safe place for system auditing and troubleshooting.

Put the following code into the /etc/profile file to achieve the above functions.

Copy code The code is as follows:

#record history operation
user_ip=`who -u am i 2>/dev/null |awk '{print $nf}' |sed -e 's/[()]//g'`
logname=`who -u am i |awk '{print $1}'`
histdir=/user/share/.history
if [ -z $user_ip]
then
user_ip=`hostname`
fi

if [ ! -d $histdir]
then
mkdir -p $histdir
chmod 777 $histdir
fi

if [ ! -d $histdir/${logname}]
then
mkdir -p $histdir/${logname}
chmod 300 $histdir/${logname}
fi

export histsize=4000

dt=`date "%y%m%d_%h%m%s"`
export histfile="$histdir/${logname}/${user_ip}.history.$dt"
export histtimeformat="[%y.%m.%d %h:%m:%s]"
chmod 600 $histdir/${logname}/*.history* 2>/dev/null

The above is the detailed content of How to use the linux shell historical command recording function. For more information, please follow other related articles on the PHP Chinese website!

Statement:
This article is reproduced at:yisu.com. If there is any infringement, please contact admin@php.cn delete