完善bash历史命令审核

自定义bash配置与优化

最新推荐文章于 2025-09-03 20:39:55 发布

原创最新推荐文章于 2025-09-03 20:39:55 发布 · 1.6k 阅读

0 ·

CC 4.0 BY-SA版权

linux 专栏收录该内容

37 篇文章

订阅专栏

1. 下载bash-4.2版本源码包,修改其中的源代码重新编译安装:

wget http://mirrors.ustc.edu.cn/gnu/bash/bash-4.2.tar.gz

2. 修改源码包中的根目录下 config-top.h 文件.

#define SSH_SOURCE_BASHRC
#define SYSLOG_HISTORY

去掉以上两项的注释即可

3. 修改源码包中根目录下 bashhist.c 文件,大概在705行.

/* void
bash_syslog_history (line)
const char *line;
{
char trunc[SYSLOG_MAXLEN];

if (strlen(line) < SYSLOG_MAXLEN)
syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY: PID=%d UID=%d %s", getpid(), current_user.uid, line);
else
{
strncpy (trunc, line, SYSLOG_MAXLEN);
trunc[SYSLOG_MAXLEN - 1] = '\0';
syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY (TRUNCATED): PID=%d UID=%d %s", getpid(), current_user.uid, trunc);
}
}
*/
注释以上的代码,添加一下代码:
# ---------------------------------------------------------------------------------------------------------------- #
void
bash_syslog_history (line)
const char *line;
{
char trunc[SYSLOG_MAXLEN];
const char *p;
p = getenv("NAME_OF_KEY");
if (strlen(line) < SYSLOG_MAXLEN)
syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY: PID=%d PPID=%d SID=%d User=%s USER=%s CMD=%s", getpid(), getppid(), getsid(getpid()), current_user.user_name, p, line);
else
{
strncpy (trunc, line, SYSLOG_MAXLEN);
trunc[SYSLOG_MAXLEN - 1] = '\0';
syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY (TRUNCATED): PID=%d PPID=%d SID=%d User=%s USER=%s CMD=%s", getpid(), getppid(), getsid(getpid()), current_user.user_name, p, trunc);
}
}
# ---------------------------------------------------------------------------------------------------------------- #

4. 编译安装,默认安装在 /usr/local/bin/ 下

./configure && make && make install

5. 用以下脚本内容重写 /root/.bashrc 文件.

# .bashrc
fcomp="/tmp/file"
authorized_keys="$HOME/.ssh/authorized_keys"
secure="/var/log/secure"
record="/var/log/login"
rsager=$(awk -vp=$PPID '/Found matching RSA key/ && $0~p {f=$NF}END{print f}' $secure)
mkdir -p $record

while read LINE
do
        echo $LINE > $fcomp
        name=$(echo $LINE|awk '{print $3}')
        nowrsa=$(ssh-keygen -lf $fcomp|awk '{print $2}')
        if [[ $rsager = $nowrsa ]];then
                NAME_OF_KEY=$name
                readonly NAME_OF_KEY
                export NAME_OF_KEY HISTFILE="$record/$name"
        fi
done < $authorized_keys
rm $fcomp

[ "$BASH_EXECUTION_STRING" ] && logger -t -bash -s "HISTORY $SSH_CLIENT USER=$NAME_OF_KEY CMD=$BASH_EXECUTION_STRING " &>/dev/null

# User specific aliases and functions

alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'

# Source global definitions
if [ -f /etc/bashrc ]; then
        . /etc/bashrc
fi

6. 修改 /etc/passwd 中的登录shell

sed -i.bak 's#/bin/bash#/usr/local/bin/bash#g' /etc/passwd
mv /bin/{bash,bash.bak}
ln -s /usr/local/bin/bash /bin/bash

重新登陆了即可.

参考: http://m.oschina.net/blog/78441