history linux 日志服务器_编译bash实现history的syslog日志记录

一、编译BASH实现bash的syslog日志记录功能

1. 本文将通过bash软件实现history记录到syslog日志的功能，并通过该方式可以实现实时的传送到了远端的日志集中服务器上，可以实现操作目志的审计功能。

操作系统版本 : CentOS 6.5 x64

2. 安装6.5对应bash源码包

#安装报警告可以忽略。

warning: bash-4.1.2-15.el6_4.src.rpm: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY

warning: user mockbuild does not exist - using root

warning: group mockbuild does not exist - using root

warning: user mockbuild does not exist - using root

warning: group mockbuild does not exist - using root

warning: user mockbuild does not exist - using root

warning: group mockbuild does not exist - using root

warning: user mockbuild does not exist - using root

warning: group mockbuild does not exist - using root

warning: user mockbuild does not exist - using root

...

warning: group mockbuild does not exist - using root

warning: user mockbuild does not exist - using root

warning: group mockbuild does not exist - using root

warning: user mockbuild does not exist - using root

warning: group mockbuild does not exist - using root

warning: user mockbuild does not exist - using root

[root@localhost soft]#

安装完成后，会在当前用户主目录下创建如下目录结构。

[root@localhost ~]# pwd

/root

# ls

anaconda-ks.cfg bash-4.1.2-15.el6_4.src.rpm install.log install.log.syslog rpmbuild 公共的 模板 视频 图片 文档 下载 音乐 桌面

[root@localhost ~]# tree rpmbuild/

rpmbuild/

├── SOURCES

│ ├── bash-2.02-security.patch

│ ├── bash-2.03-paths.patch

│ ├── bash-2.03-profile.patch

│ ├── bash-2.05a-interpreter.patch

│ ├── bash-2.05b-debuginfo.patch

│ ├── bash-2.05b-manso.patch

│ ├── bash-2.05b-pgrp_sync.patch

│ ├── bash-2.05b-readline-oom.patch

│ ├── bash-2.05b-xcc.patch

│ ├── bash-3.2-audit.patch

│ ├── bash-3.2-ssh_source_bash.patch

│ ├── bash-4.0-nobits.patch

│ ├── bash41-001

│ ├── bash41-002

│ ├── bash-4.1-bind_int_variable.patch

│ ├── bash-4.1-broken_pipe.patch

│ ├── bash-4.1-defer-sigchld-trap.patch

│ ├── bash-4.1-examples.patch

│ ├── bash-4.1-logout.patch

│ ├── bash-4.1-manpage.patch

│ ├── bash-4.1-manpage_trap.patch

│ ├── bash-4.1-signal.patch

│ ├── bash-4.1.tar.gz

│ ├── bash-4.1-trap.patch

│ ├── bash-bashbug.patch

│ ├── bash-infotags.patch

│ ├── bash-requires.patch

│ ├── bash-setlocale.patch

│ ├── bash-tty-tests.patch

│ ├── dot-bash_logout

│ ├── dot-bash_profile

│ └── dot-bashrc

└── SPECS

└── bash.spec

2 directories, 33 files

2. 进入目录中，解决bash-4.1源码包目录

[root@localhost ~]# cd /root/rpmbuild/SOURCES/

[root@localhost SOURCES]# tar zxvf bash-4.1.tar.gz

[root@localhost SOURCES]# cp -a bash-4.1 bash-4.1-orig

[root@localhost SOURCES]#

[root@localhost SOURCES]# cd bash-4.1

[root@localhost bash-4.1]#

3. 修改代码段一

# vim config-top.h

#取消104行的注释,并将下面代码修改为如下内容，默认情况下日志记录在/var/log/message文件中，这调整为local1.debug指定的文件中。

/* #define SYSLOG_HISTORY */

#if defined (SYSLOG_HISTORY)

# define SYSLOG_FACILITY LOG_LOCAL1

# define SYSLOG_LEVEL LOG_DEBUG

#endif

4. 修改代码段二

# vim bashhist.c

#找到701行开始的程序段

701 void

702 bash_syslog_history (line)

703 const char *line;

704 {

705 char trunc[SYSLOG_MAXLEN];

706

707 if (strlen(line) < SYSLOG_MAXLEN)

708 syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY: PID=%d UID=%d %s", getpid(), current_user.uid, line);

709 else

710 {

711 strncpy (trunc, line, SYSLOG_MAXLEN);

712 trunc[SYSLOG_MAXLEN - 1] = '\0';

713 syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY (TRUNCATED): PID=%d UID=%d %s", getpid(), current_user.uid, trunc);

714 }

715 }

716 #endif

修改为如下内容：

void

bash_syslog_history (line)

const char *line;

{

char trunc[SYSLOG_MAXLEN];

if (strlen(line) < SYSLOG_MAXLEN)

syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY: PPID=%d PID=%d SID=%d UID=%d User=%s %s", getppid(), getpid(), getsid(getpid()), current_user.uid, current_user.user_name, line);

else

{

strncpy (trunc, line, SYSLOG_MAXLEN);

trunc[SYSLOG_MAXLEN - 1] = '\0';

syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY (TRUNCATED): PPID=%d PID=%d SID=%d UID=%d User=%s %s", getppid(), getpid(), getsid(getpid()), current_user.uid, current_user.user_name, trunc);

}

}

5. 对比修改代码

[root@localhost SOURCES]# diff -Npru bash-4.1-orig bash-4.1 > bash_history_syslog.patch

# cd ~/rpmbuild/SPECS/

# vim bash.spec

#加入两行内容，按如下格式如下，保存退出。

Patch119: bash_history_syslog.patch

…

%patch119 -p1 -b .history_syslog

…

6. 开始编译

[root@localhost SPECS]# rpmbuild -ba bash.spec

error: Failed build dependencies:

texinfo is needed by bash-4.1.2-15.el6.x86_64

再开一个窗口安装texinfo软件包。

[root@localhost SPECS]# rpmbuild -ba bash.spec

[root@localhost SPECS]# cd ~/rpmbuild/RPMS/x86_64/

7. 安装bash rpm安装包

[root@localhost ~]# cd ~/rpmbuild/RPMS/x86_64/

[root@localhost x86_64]# ls

bash-4.1.2-15.el6.x86_64.rpm bash-debuginfo-4.1.2-15.el6.x86_64.rpm bash-doc-4.1.2-15.el6.x86_64.rpm

[root@localhost x86_64]#

[root@localhost x86_64]# rpm -Uvh --force bash-4.1.2-15.el6.x86_64.rpm

Preparing... ########################################### [100%]

1:bash ########################################### [100%]

[root@localhost x86_64]#

8. 配置rsyslog日志服务

[root@localhost x86_64]# vi /etc/rsyslog.conf

#加入如下内容：

local1.debug /var/log/bash

[root@localhost x86_64]# service rsyslog restart

关闭系统日志记录器： [确定]

启动系统日志记录器： [确定]

9. 查看日志记录，成功存储用户操作日志，与history日志分开存储，并且只有root权限可以操作该日志文件，如果配置日志服务器，操作日志将传送到远程服务器。

[root@localhost ~]# tail -f /var/log/bash

Apr 13 00:47:11 localhost bash: HISTORY: PPID=2471 PID=2473 SID=2473 UID=0 User=root ifconfig

Apr 13 00:47:12 localhost bash: HISTORY: PPID=2471 PID=2473 SID=2473 UID=0 User=root ls

Apr 13 00:47:13 localhost bash: HISTORY: PPID=2471 PID=2473 SID=2473 UID=0 User=root df -h

Apr 13 00:47:15 localhost bash: HISTORY: PPID=2471 PID=2473 SID=2473 UID=0 User=root history

Apr 13 00:47:24 localhost bash: HISTORY: PPID=2471 PID=2473 SID=2473 UID=0 User=root cat /var/log/bash

Apr 13 01:19:47 localhost bash: HISTORY: PPID=26139 PID=26141 SID=26141 UID=0 User=root cat /var/log/bash

Apr 13 01:19:57 localhost bash: HISTORY: PPID=26139 PID=26141 SID=26141 UID=0 User=root ifconfig

Apr 13 01:21:07 localhost -bash: HISTORY: PPID=26157 PID=26159 SID=26159 UID=0 User=root ifconfig

Apr 13 01:21:17 localhost -bash: HISTORY: PPID=26157 PID=26159 SID=26159 UID=0 User=root w

Apr 13 01:21:20 localhost -bash: HISTORY: PPID=26157 PID=26159 SID=26159 UID=0 User=root df -h

Apr 13 01:21:33 localhost -bash: HISTORY: PPID=26157 PID=26159 SID=26159 UID=0 User=root useradd abc

Apr 13 01:21:38 localhost -bash: HISTORY: PPID=26157 PID=26159 SID=26159 UID=0 User=root passwd abc

Apr 13 01:21:42 localhost -bash: HISTORY: PPID=26157 PID=26159 SID=26159 UID=0 User=root su - abc

Apr 13 01:21:44 localhost -bash: HISTORY: PPID=26192 PID=26193 SID=26159 UID=500 User=abc exit

二、rsyslog日志服务器配置

1. 日志服务器配置

# vi /etc/rsyslog.conf

将其中下面四行的注释取消

$ModLoad imudp

$UDPServerRun 514

$ModLoad imtcp

$InputTCPServerRun 514

在#### GLOBAL DIRECTIVES ####中加入如下内容：

$template IpTemplate,"/var/log/%FROMHOST-IP%.log"

*.* ?IpTemplate

& ~

说明：实现在接收远程的日志为客户端IP地址命名。

然后重新启动rsyslogd服务

# service rsyslog restart

2. 日志客户端配置

# vi /etc/rsyslog.conf

local1.debug @@192.168.0.66

# 然后重新启动rsyslogd服务

# service rsyslog restart

3. 查看结果，已经可以接收结果了。

[root@testdb log]# cd /var/log

[root@testdb log]# ll

908

-rw------- 1 root root 1718 412 09:51 127.0.0.1.log

-rw------- 1 root root 272 412 09:43 192.168.0.65.log

-rw------- 1 root root 3754 412 09:51 66_history_bash

-rw-------. 1 root root 2368 109 16:55 anaconda.ifcfg.log

-rw-------. 1 root root 29331 109 16:55 anaconda.log

[root@testdb log]# tail -f 192.168.0.65.log

Apr 13 17:41:13 localhost -bash: HISTORY: PPID=2166 PID=2168 SID=2168 UID=0 User=root 192.168

Apr 13 17:42:40 localhost -bash: HISTORY: PPID=2166 PID=2168 SID=2168 UID=0 User=root sss

Apr 13 17:43:38 localhost -bash: HISTORY: PPID=2166 PID=2168 SID=2168 UID=0 User=root s

Apr 13 17:52:27 localhost -bash: HISTORY: PPID=2166 PID=2168 SID=2168 UID=0 User=root ifconfig

Apr 13 17:52:27 localhost -bash: HISTORY: PPID=2166 PID=2168 SID=2168 UID=0 User=root w