In our day to day tasks we'll be working with so many files/directories. Depending on the permission for the files/directories we might need to face some difficulties like someone might remove a file accidentally or due to some other cause. We may or may not have the backup plans but we need to be sure to know who has done that and why.
For that we have a choice which is we can use the user's history to know that. We do know that every user's command history will be logged. That history will be saved in .bash_history file. Which can also be viewed by using the history command by that specific user.
If the admin need to do audit to check the file modification history then the .bash_history file can be used.
But one primary thing is, only the command history will be logged and we will not get the time of command execution by default. For that we need to modify the user's environment to log the date and time of execution along with the command.
Step 1 :
Append the following line to .bashrc file in the user's Homedir
echo "export HISTTIMEFORMAT='%F %T '" >> ~/.bashrc
NOTE : Also add this to /etc/bashrc or /etc/skel/.bashrc to get
effected to the new users too.
Step 2 :
Append the following line to .profile or .bash_profile in the
user's homedir.
echo "source ~/.bashrc" >> ~/.profile (or)
echo "source ~/.bashrc" >> ~/.bash_profile
Now use the below script to audit the command history of the users.
Usage : bash 01.File_Mod_Hist_Check.sh < command or file_name to be verified>
By using this script not only we can log the modification history of a file but also we can check the user activity like if we want to know who have used some commands too. For example we have a scenario like below.
We have 3 users namely arjun, shrikant and vmsnivas also a shared user ubuntu. From both arjun and nivas we can switch to ubuntu using sudo. Now some one has modified a file in the temp directory namely test1.txt. I want to know who did it. At first i check for who edited the file.
bash 01.File_Mod_Hist_Check.sh test1.txt
bash 01.File_Mod_Hist_Check.sh test1.txt
I got the output like below
ubuntu 2016-04-13 07:16:10 vi test1.txt
Now i need to know who has switched to ubuntu. so i go with checking sudo. And I finally got the output.
bash 01.File_Mod_Hist_Check.sh su
---Output---
ubuntu 2016-04-13 07:16:10 vi test1.txt
Now i need to know who has switched to ubuntu. so i go with checking sudo. And I finally got the output.
bash 01.File_Mod_Hist_Check.sh su
---Output---
Usage : 01.File_Mod_Hist_Check.sh <filename>
arjun 2016-04-12 20:16:06 su shrikant
ubuntu 2016-04-13 08:27:34 sudo su -
vmsnivas 2016-04-13 07:13:27 sudo su - ubuntu
root 2016-04-15 11:05:10 ./26.File_Mod_Hist_Check.sh sudo
#!/bin/bash
# Author : Arjun Shrinivas
# Purpose : To know the modification history of a specific file
echo -e "Usage : $0 <filename>"
FILE=$1
# USERS=`grep /bin/bash /etc/passwd | grep -v root | awk -F: '{print $1}'`
USERS=`grep /bin/bash /etc/passwd | awk -F: '{print $1}'`
if [[ ! -z results.txt ]]
then
:> results.txt
fi
for i in `echo $USERS`
do
case $i in
root)
HISTORY="/root/.bash_history"
;;
*)
HISTORY="/home/$i/.bash_history"
;;
esac
ENCDATE=`sed -ne '/'"$FILE"'/{x;p;d;}' -e x $HISTORY | grep -v ^[a-z] | tail -n1`
if [[ ! -z $ENCDATE ]]
then
COMMAND=`sed -ne '/'"$ENCDATE"'/,+1p' $HISTORY | tail -n1`
MODDATE=`echo $ENCDATE | tr '#' '@'`
DATE=`date -d $MODDATE +'%F %T'`
echo -e "$i\t$DATE\t$COMMAND" >> results.txt
fi
done
more results.txt | sort -k2
No comments :
Post a Comment