我有一个linux服务器,其中包含一个重要的脚本xyz.sh.有时会有10-50个用户登录该计算机。是否有可能找到谁在运行脚本?此外,是否可以获得所有已运行脚本xyz.sh的日志;意味着是否可以提取脚本运行的历史记录?
答案 0 :(得分:0)
有关所有者脚本的简单动态检查,您可以使用:
$ ps -e -o euid,pid,euser,state,command | grep "xyz.sh"|grep -v grep
0 31096 root S /bin/bash ./xyz.sh
1000 31030 ale S /bin/bash ./xyz.sh
应该可以使用以下脚本记录ps输出:
#!/bin/bash
SECONDS=5
TARGET=xyz.sh
OUT=/var/tmp/xyz_history.log
while true
do
sleep $SECONDS
echo "$(date '+TIME:%H:%M:%S';ps -e -opid,user,command|grep $TARGET | grep -v grep)"
done >> $OUT
exit 0
输出:
$ tail -f /var/tmp/xyz_history.log
TIME:14:13:37
496 postgres /bin/bash ./xyz.sh
625 ale /bin/bash ./xyz.sh
32137 root /bin/bash ./xyz.sh
TIME:14:13:38
496 postgres /bin/bash ./xyz.sh
625 ale /bin/bash ./xyz.sh
32137 root /bin/bash ./xyz.sh
TIME:14:13:39
496 postgres /bin/bash ./xyz.sh
625 ale /bin/bash ./xyz.sh
TIME:14:13:40
496 postgres /bin/bash ./xyz.sh
625 ale /bin/bash ./xyz.sh
...
当然,这不是一个干净的解决方案。如果您可以在系统上安装软件包并以超级用户身份运行命令,则更好的解决方案是使用lastcomm:
# lastcomm xyz.sh
xyz.sh X ale pts/1 0.00 secs Fri Sep 11 14:12
xyz.sh X root pts/3 0.00 secs Fri Sep 11 14:00
xyz.sh X ale pts/4 0.00 secs Fri Sep 11 14:08
xyz.sh X ale pts/4 0.00 secs Fri Sep 11 14:00
xyz.sh X root pts/4 0.00 secs Fri Sep 11 13:54
xyz.sh X ale pts/1 0.00 secs Fri Sep 11 13:51
xyz.sh X root pts/3 0.00 secs Fri Sep 11 13:42
xyz.sh X ale pts/1 0.00 secs Fri Sep 11 13:36
xyz.sh X ale pts/1 0.00 secs Fri Sep 11 13:36
xyz.sh X ale pts/1 0.00 secs Fri Sep 11 13:36
xyz.sh X ale pts/1 0.00 secs Fri Sep 11 13:36
xyz.sh X postgres pts/1 0.00 secs Fri Sep 11 13:36
xyz.sh X ale pts/1 0.00 secs Fri Sep 11 13:36
xyz.sh X root pts/1 0.00 secs Fri Sep 11 13:36
xyz.sh X ale pts/1 0.00 secs Fri Sep 11 13:36
可以从lastcomm(centos / redhat)或psacct包(debian / ubuntu / OpenSuse)安装命令acct。