Under Linux, you can use the history command to view all historical operations of the user. At the same time, the shell command operation records are saved in the .bash_history file in the user directory by default. Through this file, you can query the execution history of shell commands, which helps operation and maintenance personnel conduct system audits and troubleshooting. At the same time, after the server is attacked by a hacker, you can also query the historical command operations of hackers logging into the server. However, after hackers invade, in order to erase traces, they will delete the .bash_history file. This requires a reasonable backup of this file.
The default history command can only view the user's historical operation records, but cannot distinguish the time when each user operated the command. This is quite inconvenient for troubleshooting. The solution is to add the following four lines to the /etc/bashrc file to allow the history command to automatically record the execution time of all shell commands:
Copy the code The code is as follows:
histfilesize=4000
histsize=4000
histtimeformat='%f %t'
export histtimeformat
histfilesize represents the total number of records to save commands in the .bash_history file. The default value is 1000; histsize Defines the total number of records output by the history command; histtimeformat defines the time display format, which is the same as ""%f %t"" after the date command; histtimeformat is used as the time variable of history to pass the value to the history command.
Advanced Tips
Although the above one can record time, it cannot be used for audit purposes and can easily be tampered with or lost by hackers. The following method records in detail the users who have logged in to the system, IP addresses, shell commands, and detailed operation times. And save this information in the form of files in a safe place for system auditing and troubleshooting.
Put the following code into the /etc/profile file to achieve the above functions.
Copy code The code is as follows:
#record history operation
user_ip=`who -u am i 2>/dev/null |awk '{print $nf}' |sed -e 's/[()]//g'`
logname=`who -u am i |awk '{print $1}'`
histdir=/user/share/.history
if [ -z $user_ip]
then
user_ip=`hostname`
fi
if [ ! -d $histdir]
then
mkdir -p $histdir
chmod 777 $histdir
fi
if [ ! -d $histdir/${logname}]
then
mkdir -p $histdir/${logname}
chmod 300 $histdir/${logname}
fi
export histsize=4000
dt=`date "%y%m%d_%h%m%s"`
export histfile="$histdir/${logname}/${user_ip}.history.$dt"
export histtimeformat="[%y.%m.%d %h:%m:%s]"
chmod 600 $histdir/${logname}/*.history* 2>/dev/null
The above is the detailed content of How to use the linux shell historical command recording function. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
