基于bsd watch监控用户操作记录
前几日看到bsd下的watch命令,可以用他监控用户的操作记录,感觉非常棒,突发灵感,也闲的无聊,准备利用他监控系统用户什么登陆,登陆后都做了什么,设想如下:
1,自动监测用户,发现有新用户进来,获取他的tty ,开启watch 去监控
2.用户退出时,监控停止,监控的数据插入数据库
3,通过前台页面,调用watch的监控记录
一,监控端服务器脚本#!/usr/bin/perl
system "killall -9 watch";
open (AA,">/usr/zzxia/log");
@ttl="";
AAA:
@wda=`who`;
for ($i=0;$i<@wda;$i++) {
chomp ($wda[$i]);
@str=split(/\s+/,$wda[$i]);
$datestr=`date '+%Y-%m-%d %T'`;
system "echo 'use userlog;' > /usr/zzxia/$str.log1";
system qq ~ echo "INSERT INTO userip6 VALUES('$str','$str','$str-$str-$str','$datestr','">> /usr/zzxia/$str.log1~;
chomp ($stty=$str);
print AA "who value $stty\n";
@watchs1=`ps -ax | grep watch | grep -v grep `;
$tta=0;
for ($j=0;$j<@watchs1;$j++){
chomp ($watchs1[$j]);
@watchs=split(/\s+/,$watchs1[$j]);
chomp ($ws=$watchs);
print AA "watch is $ws\n";
if ($stty eq $ws) {
$tta=1;
}
}
if ( $tta==0 ) {
system "/usr/sbin/watch $stty >/usr/zzxia/$stty.log2& ";
$ppid1=`ps -ax | grep $stty | grep -v sshd |grep -v grep `;
@ppid2=split (/\s+/,$ppid1);
chomp ($ppid=$ppid2);
if ($ppid){
printAA"ppid is $ppid \n";
push (@ttl,"$stty,$ppid");
}
}
}
@ttl2="";
print AA "ttl is @ttl\n";
for ($l=1;$l<@ttl;$l++) {
@ttls=split(/,/,$ttl[$l]);
chomp ($kpid=$ttls);
chomp ($ktty=$ttls);
$sp=`ps -aux |grep $kpid |grep -v grep`;
if ( !$sp)
{
system "cat /usr/zzxia/$ktty.log1 /usr/zzxia/$ktty.log2>/usr/zzxia/$ktty.log3 ";
system qq~echo "');">>/usr/zzxia/$ktty.log3~;
system "rm /usr/zzxia/$ktty.log1 /usr/zzxia/$ktty.log2 ";
printAA "mysql -h 192.168.0.1 -utest -ptest </usr/zzxia/$ktty.log3\n";
`mysql -h 192.168.0.1 -utest -ptest </usr/zzxia/$ktty.log3`;
system "rm /usr/zzxia/$ktty.log3";
}else {
push (@ttl2,"$ktty,$kpid");
}
}
@ttl=@ttl2;
sleep(3);
goto AAA;动行脚本checklogin.pl &以后台的方式 运行,运行后会在/usr/zzxia/目录下生成以tty开头的临时份件,程序运行状态可查看log文件,
转载出处! http://bbs.linuxtone.org/thread-261-1-1.html
页:
[1]