完善bash历史命令审核

于 2013-12-20 18:15:48 发布
阅读量1.6k 收藏
点赞数
CC 4.0 BY-SA版权
分类专栏: linux
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/reyleon/article/details/17451717

1. 下载bash-4.2版本源码包,修改其中的源代码重新编译安装:


wget http://mirrors.ustc.edu.cn/gnu/bash/bash-4.2.tar.gz


2. 修改源码包中的根目录下 config-top.h 文件.

#define SSH_SOURCE_BASHRC
#define SYSLOG_HISTORY
去掉以上两项的注释即可


3. 修改源码包中根目录下 bashhist.c 文件,大概在705行.


/* void
bash_syslog_history (line)
     const char *line;
{
  char trunc[SYSLOG_MAXLEN];


  if (strlen(line) < SYSLOG_MAXLEN)
    syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY: PID=%d UID=%d %s", getpid(), current_user.uid, line);
  else
    {
      strncpy (trunc, line, SYSLOG_MAXLEN);
      trunc[SYSLOG_MAXLEN - 1] = '\0';
      syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY (TRUNCATED): PID=%d UID=%d %s", getpid(), current_user.uid, trunc);
    }
}
*/
注释以上的代码,添加一下代码:
# ---------------------------------------------------------------------------------------------------------------- #
void
bash_syslog_history (line)
     const char *line;
{
  char trunc[SYSLOG_MAXLEN];
     const char *p;
     p = getenv("NAME_OF_KEY");
  if (strlen(line) < SYSLOG_MAXLEN)
    syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY: PID=%d PPID=%d SID=%d  User=%s USER=%s CMD=%s", getpid(), getppid(), getsid(getpid()),  current_user.user_name, p, line);
  else
    {
      strncpy (trunc, line, SYSLOG_MAXLEN);
      trunc[SYSLOG_MAXLEN - 1] = '\0';
      syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY (TRUNCATED): PID=%d  PPID=%d SID=%d User=%s USER=%s CMD=%s", getpid(), getppid(), getsid(getpid()), current_user.user_name, p, trunc);
    }
}
# ---------------------------------------------------------------------------------------------------------------- #


4. 编译安装,默认安装在 /usr/local/bin/ 下


./configure && make && make install


5. 用以下脚本内容重写 /root/.bashrc 文件.

# .bashrc
fcomp="/tmp/file"
authorized_keys="$HOME/.ssh/authorized_keys"
secure="/var/log/secure"
record="/var/log/login"
rsager=$(awk -vp=$PPID '/Found matching RSA key/ && $0~p {f=$NF}END{print f}' $secure)
mkdir -p $record

while read LINE
do
        echo $LINE > $fcomp
        name=$(echo $LINE|awk '{print $3}')
        nowrsa=$(ssh-keygen -lf $fcomp|awk '{print $2}')
        if [[ $rsager = $nowrsa ]];then
                NAME_OF_KEY=$name
                readonly NAME_OF_KEY
                export NAME_OF_KEY HISTFILE="$record/$name"
        fi
done < $authorized_keys
rm $fcomp

[ "$BASH_EXECUTION_STRING" ] && logger -t -bash -s "HISTORY $SSH_CLIENT USER=$NAME_OF_KEY CMD=$BASH_EXECUTION_STRING " &>/dev/null

# User specific aliases and functions

alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'

# Source global definitions
if [ -f /etc/bashrc ]; then
        . /etc/bashrc
fi

6. 修改 /etc/passwd 中的登录shell

sed -i.bak 's#/bin/bash#/usr/local/bin/bash#g' /etc/passwd
mv /bin/{bash,bash.bak}
ln -s /usr/local/bin/bash /bin/bash


重新登陆了即可.


参考: http://m.oschina.net/blog/78441

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值