or /etc/bashrc
HISTSIZE=5000 HISTTIMEFORMAT=%Y/%m/%d %H:%M:%S
Execute the script command only if the parent process is sshd
P_PROC=`ps aux | grep $PPID | grep sshd | awk '{ print $11 }'`
if tty -s;then
if [ "$P_PROC" = sshd: ]; then
script -q -f /var/log/script/`date '+%Y%m%d_%H%M%S'`_`whoami`.log
exit
fi
fi
mkdir /var/log/script chmod 777 /var/log/script
Remove escape sequences and color codes
cat /var/logscript/xxxxx.log | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})*)?m//g" | col > log.txt
/etc/audit/rules.d/audit.rules
# vi /etc/audit/rules.d/audit.rules ## Rule01 -a exit,always -S execve
# augenrules --load <- reload # auditctl -l <- check route
/etc/audit/auditd.conf
# Number of files to save num_logs = 999 # Log file size (MegaBytes) max_log_file = 10 max_log_file_action = ROTATE
num_logs must be 999 or less. 10MB x 100 = 1,000MB = 1GB 10MB x 500 = 5,000MB = 5GB 10MB x 1000 = 10,000MB = 10GB
/var/log/audit/audit.log
/etc/bash.bashrc.local
/etc/profile or /etc/bashrc (RHEL)
function log_history {
logger -p local1.notice -t history -i "$$, $(logname),$USER, $PWD, $BASH_COMMAND"
}
readonly -f log_history
trap log_history DEBUG EXIT
/etc/bash.bashrc.local
function save_history() {
HISTTIMEFORMAT='%F %H:%M:%S '
SAVED_HISTORY_FILE=/var/log/history/.sh_history.$(logname)+$USER.$(date +%Y%m%d%H%M%S)
history > $SAVED_HISTORY_FILE
: > ~/.bash_history
}
trap save_history EXIT
sysstemctl status psacct sysstemctl start psacct sysstemctl enable psacct
/var/account/pacct
lastcomm --user ec2-user
## Ubuntu/Debian apt-get install snoopy ## RHEL yum install --enalberepo=epel snoopy
/var/log/auth.log (Ubuntu/Debian)
/var/log/secure (RHEL/CentOS)
cat /var/log/secure |grep snoopy