载回来看了一下Changelog,找到如下: 但是,这个方法非常容易被发现和被绕过。用set命令就可以看到PROMPT_COMMAND,而 且现在的黑客都非常聪明,上来就执行unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0 这 样的命令防止执行的命令记录到history,那上面这个方法自然就失效了。 [root@linuxtest tmp]# tail -f /var/log/messages Apr 18 15:27:49 linuxtest logger: 19 set Apr 18 15:31:58 linuxtest logger: 20 ll Apr 18 15:32:00 linuxtest logger: 21 cd /tmp Apr 18 15:32:00 linuxtest logger: 22 ls Apr 18 15:32:21 linuxtest logger: 23 echo "zsf test" 这样当zsf用户登录使用之后,其操作均会被记录到syslog,简单测试的效果如下: [root@linuxtest tmp]# tail -f /var/log/messages Apr 18 15:27:49 linuxtest logger: 19 set Apr 18 15:31:58 linuxtest logger: 20 ll Apr 18 15:32:00 linuxtest logger: 21 cd /tmp Apr 18 15:32:00 linuxtest logger: 22 ls Apr 18 15:32:21 linuxtest logger: 23 echo "zsf test" config-top.h - new define SYSLOG_HISTORY, disabled by default config-bot.h - if HAVE_SYSLOG or HAVE_SYSLOG_H are not defined, undef SYSLOG_HISTORY bashhist.c - if SYSLOG_HISTORY is defined, call bash_syslog_history with the line added to the history in bash_add_history. - new function, bash_syslog_history(line), sends line to syslog at user.info. The line is truncated to send no more than 600 (SYSLOG_MAXLEN) bytes to syslog. Feature requested by many, and required by some national laws 看来只需改一个头文件config-top.h就好啊,如下: /* Define if you want each line saved to the history list in bashhist.c: bash_add_history() to be sent to syslog(). */ /* #define SYSLOG_HISTORY */ #if defined (SYSLOG_HISTORY) # define SYSLOG_FACILITY LOG_USER # define SYSLOG_LEVEL LOG_INFO #endif 只需将#define SYSLOG_HISTORY 这一行两边的注释去掉就可以了,改完之后开始 进行编译以及安装,命令: ./configure --prefix=/usr/local/xbash make make install 改完之后,我们将要记录的用户的bash改为新的bash,如下: zsf:x:500:500::/home/zsf:/usr/local/xbash/bin/bash
这样当zsf用户登录使用之后,其操作均会被记录到syslog,简单测试的效果如下:
就可以得到如下的效果: |
