Linux帐号活动审计脚本

为了防止用户滥用root等敏感帐号，并且便于管理上追踪相应的sudo活动造成的问题。简单的根据/etc/bashrc的功能实现了帐号活动记录和存档的功能。下面列出一些实现的主要步骤：首先，设置/etc/bashrc，在文件最后添加下列语句，用以建立帐号活动记录mkdir -p $HOME/.audit &>/dev/nullexport AUDIT_FILE=$HOME/.audit/$(who am i|awk '{printf("%s_%s_%s_%s.aud",$1,$2,$3,$4)}'|tr '/:' '-') &>/dev/nullexport PROMPT_COMMAND='(ts=`date "+[%Y%m%d %H:%M:%S]"` && cmd=$(echo ">>`history 1|{ read y x; echo -e "$x";}`<<@`who am i |awk \"{print \\$5}\"`") && lst_cmd=`tail -10 $AUDIT_FILE|grep "]"|tail -1|cut -d "]" -f 2-` && [[ "$lst_cmd" != "$cmd" ]] && echo "$ts$cmd") >> "$AUDIT_FILE"'然后，创建目录/usr/local/admin/，创建如下脚本audit.sh#!/bin/bash################################################################################# Note:# Please add below lines into /etc/bashrc first# mkdir -p $HOME/.audit &>/dev/null# export AUDIT_FILE=$HOME/.audit/$(who am i|awk '{printf("%s_%s_%s_%s.aud",$1,$2,$3,$4)}'|tr '/:' '-') &>/dev/null# export PROMPT_COMMAND='(ts=`date "+[%Y%m%d %H:%M:%S]"` && cmd=$(echo ">>`history 1|{ read y x; echo -e "$x";}`<<@`who am i |awk \"{print \\$5}\"`") && lst_cmd=`tail -10 $AUDIT_FILE|grep "]"|tail -1|cut -d "]" -f 2-` && [[ "$lst_cmd" != "$cmd" ]] && echo "$ts$cmd") >> "$AUDIT_FILE"'################################################################################################################################################################# Function Name: HELP_USAGE# Description: Function to display the usage of the script# Parameters: None# Return: Help messages# Called By: Script Main Loop->Script Parameters' Handler# History: 2012-SEP-17 Initial Edition DAMCOOL################################################################################function help_usage(){cat <<EOFUsage: $PROGNAME [OPTION]Audit files maintenance functions according to /etc/bashrc settings -a, --archive Archive the audit logging files older than 7 days and compress the archive file of last month as well as delete the archive over a year 365 days. -h, --help Show current help message of the script usagesNotes:Please Report Script Bugs to $AUTHOR_MAILEOFexit 1}################################################################################# Function Name: ARCHIVE_LOGGING# Description: Function to archive the audit logging files# Parameters: None# Return: None# Called By: Script Main Loop->Script Parameters' Handler# History: 2012-SEP-17 Initial Edition DAMCOOL################################################################################function archive_logging(){ local pwd_line local user_id local home_dir local tar_files local tar_file for pwd_line in $(cat /etc/passwd); do user_id=$(echo $pwd_line|awk -F ":" '{print $1}') home_dir=$(echo $pwd_line|awk -F ":" '{print $6}') if [ -d "$home_dir/.audit" ]; then cd $home_dir/.audit for tar_files in $(find -type f -name "*aud" -mtime +7 -exec basename {} \;); do tar_file="audit_"$(echo $tar_files|awk -F "_" '{print $3}'|cut -d "-" -f 1-2)".tar" [ -f "$tar_file" ] && tar -rf "$tar_file" $tar_files || tar -cf "$tar_file" $tar_files rm -f $tar_files &>/dev/null done find -type f -name "*tar" -mtime +31 | xargs -i basename {} | xargs -i bzip2 -zq9 {} &>/dev/null find -type f -name "*bz2" -mtime +365 | xargs -i basename {} | xargs -i rm -f {} &>/dev/null chown $user_id.$user_id * &>/dev/null chmod 644 * &>/dev/null fi done}################################################################################# Function Name: Script Main Loop# History: 2012-SEP-16 Initial Edition DAMCOOL################################################################################BASE_DIR=$(cd "$(dirname "$0")" && pwd)PROGNAME=$(basename "$0")AUTHOR_MAIL="[email protected]"ACRCHIVE=0HELP=0[ $# -eq 0 ] && help_usagewhile [ $# -gt 0 ]do case "$1" in (-a) ACRCHIVE=1;shift;break;; (-h) HELP=1;shift;break;; (--archive) ACRCHIVE=1;shift;break;; (--help) HELP=1;shift;break;; (*) echo "$PROGNAME: error - unrecognized option or parameter $1" 1>&2; HELP=1;break;; esac shiftdone[ $# -gt 0 ] && HELP=1[ $HELP -eq 1 ] && help_usage[ $ACRCHIVE -eq 1 ] && archive_logging && exit 0最后，创建如下cron job负责定期归档审计记录文件0 0 * * * sh /usr/local/admin/audit.sh --archive

(以上内容不代表本站观点。)
---------------------------------