一、
如果不要求历史记录审计的话就可以修改下profile文件就行
[root@Check1 ~]# vim /etc/profile
export HISTTIMEFORMAT="[%Y.%m.%d %H:%M:%S - $USER_IP $USER_SHELL $USER] "
export HISTTIMEFORMAT="%F %T `who am i | awk '{print \$1\" \"\$2\" \"\$5}'`# "
[root@Check1 ~]# source /etc/profile
二、
要求每个终端,每个用户的实时执行的命令都保存一个文件里
日后可以查证,拷贝如下代码,直接复制到终端里面即可
日志位置在/var/log/usermonitor/usermonitor.log
#history modify mkdir -p /var/log/usermonitor touch /var/log/usermonitor/usermonitor.log chown -R nobody:nobody /var/log/usermonitor/ chmod -R 002 /var/log/usermonitor/ chattr +a /var/log/usermonitor/usermonitor.log cat >> /etc/profile << EOF export HISTORY_FILE=/var/log/usermonitor/usermonitor.log export PROMPT_COMMAND='{ date "+%y-%m-%d %T ## $(who am i |awk "{print \$1\" \"\$2\" \"\$5}") ## $(whoami) ## $(history 1 | { read x cmd; echo "$cmd"; })"; } >>$HISTORY_FILE' EOF source /etc/profile cat >> /etc/profile << EOF #!/bin/bash #Time=`date +%Y%m%d%H -d '-1 hours'` Time=`date +%Y%m%d%H` logs_path="/var/log/usermonitor/" logs_name="usermonitor.log" new_file="$logs_path$logs_name-$Time" old_file=`find $logs_path -mtime +30 -type f -name "usermonitor.*"` chattr -a $logs_path$logs_name mv $logs_path$logs_name $new_file chattr +a $new_file touch $logs_path$logs_name chown -R nobody:nobody $logs_path$logs_name chmod -R 002 $logs_path$logs_name chattr +a $logs_path$logs_name if [ ! -z $old_file ] then echo "delet $old_file $Time" >> /var/log/messages chattr -a $old_file rm -rf $old_file fi EOF echo "30 10 * * 6 /bin/bash /var/log/usermonitor/history.sh > /dev/null 2>&1" >> /var/spool/cron/root