2020-6-3 16:48:25 Author: mp.weixin.qq.com(查看原文) 阅读量:4 收藏
Bourne-Again Shell(bash)
本次我们使用了trap函数,之前Linux篇中均未使用。
修改/etc/profile文件: vi /etc/profile
在文件中加入以下内容,将其中的192.168.100.90替换为资源的IP。
# Add content in /etc/profile# Log "bash sh ksh" user loginand command historyup_client_ip=`(who am i|cut -d \( -f2|cut-d\) -f1)`if ( test -z "`echo $up_client_ip|awk '($1 ~/[0-9]+.[0-9]+.[0-9]+.[0-9]+/)'`" )thenup_client_ip=`awk '/'$up_client_ip'/ {print$1}' /etc/hosts`fiup_nowtime=`(date +"%Y-%m-%d%T")`logger -p user.notice -- class=\"HOST_LOGIN\" type=\"2\" time=\"$up_nowtime\" src_ip=\"$up_client_ip\" dst_ip=\"192.168.100.90\" primary_user=\"\" secondary_user=\"`id|cut -d\( -f2|cut -d\) -f1`\" operation=\"\" content=\"login successful\" authen_status=\"Success\" log_level=\"1\" session_id=\"$$\" 2>/dev/nullcase "$0" in-bash)export PROMPT_COMMAND='logger -p user.notice -- class=\"HOST_COMMAND\" type=\"3\" time=\"`date +"%Y-%m-%d %T"`\" src_ip=\"$up_client_ip\" dst_ip=\"192.168.100.90\" primary_user=\"\" secondary_user=\"`id|cut -d\( -f2|cut -d\) -f1`\" operation=\"$(history 1 | { read x y; echo $y; })\" content=\"command\" authen_status=\"\"log_level=\"1\" session_id=\"$$\" 2>/dev/null;';;-ksh)function log2syslog{logger -p user.notice -- class=\"HOST_COMMAND\" type=\"3\" time=\"`date +"%Y-%m-%d %T"`\" src_ip=\"$up_client_ip\" dst_ip=\"192.168.100.90\" primary_user=\"\" secondary_user=\"`id|cut -d\( -f2|cut -d\) -f1`\" operation=\"`fc -ln -0`\" content=\"command\" authen_status=\"\" log_level=\"1\" session_id=\"$$\" 2>/dev/null;}trap log2syslog DEBUG;;;esacreadonly up_client_ipreadonly up_nowtimereadonly PROMPT_COMMAND
从当前登录信息中取出客户端IP地址并分配变量:
up_client_ip=`(whoam i|cut -d\( -f2|cut -d\) -f1)`
从当前系统获取时间信息并分配变量:
up_nowtime=`(date+"%Y-%m-%d %T")`
使用logger命令产生一条包含当前登录帐户、时间、客户端地址的日志信息:
logger -p user.notice -- class=\"HOST_LOGIN\" type=\"2\" time=\"$up_nowtime\" src_ip=\"$up_client_ip\" dst_ip=\"192.168.100.90\" primary_user=\"\" secondary_user=\"`id|cut -d\( -f2|cut -d\)-f1`\" operation=\"\" content=\"login successful\" authen_status=\"Success\" log_level=\"1\" session_id=\"`echo $$`\" 2>/dev/null对于操作日志的记录,使用了条件判断。不同的shell,配置记录操作日志使用命令不同。这里需要说明的是,Korn Shell调用了函数,记录所有日志。
case "$0" in-bash)export PROMPT_COMMAND='logger -p user.notice -- class=\"HOST_COMMAND\" type=\"3\" time=\"`date +"%Y-%m-%d %T"`\" src_ip=\"$up_client_ip\" dst_ip=\"192.168.100.90\" secondary_user=\"`id|cut-d\( -f2|cut -d\) -f1`\" operation=\"$(history 1 | { read x y; echo$y; })\" content=\"command\" authen_status=\"\" log_level=\"1\" session_id=\"`echo $$`\" 2>/dev/null;';;esac-ksh)function log2syslog{logger -p user.notice -- class=\"HOST_COMMAND\" type=\"3\" time=\"`date +"%Y-%m-%d %T"`\" src_ip=\"$up_client_ip\" dst_ip=\"192.168.100.90\" secondary_user=\"`id|cut -d\( -f2|cut -d\) -f1`\" operation=\"`fc -ln -0`\" content=\"command\" authen_status=\"\" log_level=\"1\" session_id=\"`echo$$`\" 2>/dev/null;}trap log2syslog DEBUG;;;esac
在这里trap中的commands我们使用了函数log2syslog,关于shell中函数的用法,请参考man手册。
必须在调用函数地方之前,声明函数,shell脚本是逐行运行。
functions
FUNCTIONS
A shell function, defined as described above under SHELL GRAMMAR, stores a series of commands for later execution. When the name of a shell function is used as a simple command name, the list of commands associated with that function name is executed. Functions are executed in the context of the current shell; no new process is created to interpret them (contrast this with the execution of a shell script). When a function is executed, the arguments to the function become the positional parameters during its execution. The special parameter # is updated to reflect the change. Special parameter 0 is unchanged. The first element of the FUNCNAME variable is set to the name of the function while the function is executing.
All other aspects of the shell execution environment are identical between a function and its caller with these exceptions: the DEBUG and RETURN traps (see the description of the trap builtin under SHELL BUILTIN COMMANDS below) are not inherited unless the function has been given the trace attribute (see the description of the declare builtin below) or the -o functrace shell option has been enabled with the set builtin(in which case all functions inherit the DEBUG and RETURN traps), and the ERR trap is not inherited unless the -o errtrace shell option has been enabled.
Variables local to the function may be declared with the local builtin command. Ordinarily, variables and their values are shared between the function and its caller.
If the builtin command return is executed in a function, the function completes and execution resumes with the next command after the function call. Any command associated with the RETURN trap is executed before execution resumes. When a function completes, the values of the positional parameters and the special parameter # are restored to the values they had prior to the function’s execution.
Function names and definitions may be listed with the -f option to the declare or typeset builtin commands. The -F option to declare or typeset will list the function names only (and optionally the source file and line number, if the extdebug shell option is enabled). Functions may be exported so that subshells automatically have them defined with the -f option to the export builtin. A function definition may be deleted using the -f option to the unset builtin. Note that shell functions and variables with the same name may result in multiple identically-named entries in the environment passed to the shell’s children. Care should be taken in cases where this may cause a problem.
Functions may be recursive. No limit is imposed on the number of recursive calls.
测试结果如下,最后发到服务器的日志记录如下:
<13>Jun 30 17:21:16 bashuser: [ID 702911 user.notice] class="HOST_LOGIN" type="2" time="2011-06-30 17:21:15" src_ip="192.168.14.83" dst_ip="192.168.100.90" primary_user="" secondary_user="bashuser" operation="" content="login successful" authen_status="Success" log_level="1" session_id="27699"<13>Jun 30 17:22:24 bashuser: [ID 702911 user.notice] class="HOST_COMMAND" type="3" time="2011-06-30 17:22:24" src_ip="192.168.14.83" dst_ip="192.168.100.90" secondary_user="bashuser" operation="uname -a" content="command" authen_status="" log_level="1" session_id="27699"
Bourne Shell(sh)
配置与Bourne-Again Shell相同,但是sh用户的操作日志不能记录。Bourne Shell没有history的功能(需查看命令帮助,每个版本会有所不同)。
Korn Shell(ksh)
配置与Bourne-Again Shell相同。
如有侵权请联系:admin#unsafe.sh