linux -audit审计功能

启动audit：systemctl start auditd.service

将日志文件所有者赋予一个最低权限的用户chown nobody:nobody /var/log/audit.log

给该日志文件赋予所有人的写权限：chmod 002 /var/log/audit.log

设置文件权限,使所有用户对该文件只有追加权限 ：chattr +a /var/log/audit.log

将下面这段内容添加在/etc/profile文件末尾，完事后执行source /etc/profile使之生效

HISTSIZE=1000

HISTTIMEFORMAT="%Y/%m/%d %T ";export HISTTIMEFORMAT

export HISTORY_FILE=/var/log/audit.log

export PROMPT_COMMAND='{ thisHistID=`history 1|awk "{print \\$1}"`;lastCommand=`history 1| awk "{\\$1=\"\" ;print}"`;user=`id -un`;whoStr=(`who -u am i`);realUser=${whoStr[0]};logMonth=${whoStr[2]};logDay=${whoStr[3]};logTime=${whoStr[4]};pid=${whoStr[6]};ip=${whoStr[7]};if [ ${thisHistID}x != ${lastHistID}x ];then echo -E `date "+%Y/%m/%d %H:%M:%S"` $user\($realUser\)@$ip[PID:$pid][LOGIN:$logMonth $logDay $logTime] --- $lastCommand ;lastHistID=$thisHistID;fi; } >> $HISTORY_FILE'
           

查看

vim /var/log/audit.log