diff --git a/实时 history 监控 b/实时 history 监控 index 3774294..a9243f4 100644 --- a/实时 history 监控 +++ b/实时 history 监控 @@ -1,277 +1,100 @@ -# 创建唯一的监控系统 -cat > /usr/local/bin/cmdwatch << 'EOF' +# 创建超级简单的监控系统 +cat > /usr/local/bin/watchcmd << 'EOF' #!/bin/bash -# 配置文件 -CONFIG_DIR="/root/.cmdwatch" -LOG_FILE="$CONFIG_DIR/monitor.log" -PID_FILE="$CONFIG_DIR/pid" -LOCK_FILE="$CONFIG_DIR/lock" +LOG="/root/watch.log" +PID="/tmp/watch.pid" -# 初始化 -init_system() { - mkdir -p "$CONFIG_DIR" - touch "$LOG_FILE" -} - -# 获取客户端IP -get_client_ip() { - local ip="unknown" - [ -n "$SSH_CLIENT" ] && ip=$(echo "$SSH_CLIENT" | awk '{print $1}') - [ "$ip" = "unknown" ] && [ -n "$SSH_CONNECTION" ] && ip=$(echo "$SSH_CONNECTION" | awk '{print $1}') - echo "$ip" -} - -# 检查是否运行中 -is_running() { - if [ -f "$PID_FILE" ]; then - local pid=$(cat "$PID_FILE" 2>/dev/null) - if ps -p "$pid" >/dev/null 2>&1; then - return 0 - else - rm -f "$PID_FILE" - fi - fi - return 1 -} - -# 文件锁 -get_lock() { - exec 200>"$LOCK_FILE" - flock -n 200 && return 0 - return 1 -} - -release_lock() { - flock -u 200 -} - -# 停止所有可能的监控进程 -stop_all_monitors() { - echo "停止所有监控进程..." - # 停止当前系统 - if [ -f "$PID_FILE" ]; then - local pid=$(cat "$PID_FILE" 2>/dev/null) - [ -n "$pid" ] && kill "$pid" 2>/dev/null - fi - - # 停止其他可能运行的监控 - pkill -f "cmd_monitor" - pkill -f "monitor.sh" - pkill -f "mt" - pkill -f "mon" - pkill -f "cmdwatch" - - # 清理文件 - rm -f "$PID_FILE" - rm -f "$LOCK_FILE" - sleep 1 -} - -# 主监控函数 -start_monitoring() { - echo "启动命令监控..." - - # 设置实时history - for user_dir in /home/* /root; do - [ -d "$user_dir" ] || continue - bashrc="$user_dir/.bashrc" - [ -f "$bashrc" ] || continue - if ! grep -q "PROMPT_COMMAND.*cmdwatch" "$bashrc" 2>/dev/null; then - echo 'export PROMPT_COMMAND="history -a; history -c; history -r #cmdwatch"' >> "$bashrc" - fi - done - - # 启动监控进程 - ( - echo "=== 命令监控启动: $(date) ===" >> "$LOG_FILE" - declare -A file_sizes - - # 初始化文件大小 - for user_dir in /home/* /root; do - [ -d "$user_dir" ] || continue - user=$(basename "$user_dir") - history_file="$user_dir/.bash_history" - [ -f "$history_file" ] && file_sizes["$user"]=$(stat -c%s "$history_file" 2>/dev/null || echo 0) - done - - # 主监控循环 - while true; do - for user_dir in /home/* /root; do - [ -d "$user_dir" ] || continue - user=$(basename "$user_dir") - history_file="$user_dir/.bash_history" - [ -f "$history_file" ] || continue - - current_size=$(stat -c%s "$history_file" 2>/dev/null || echo 0) - last_size=${file_sizes["$user"]:-0} - - if [ "$current_size" -gt "$last_size" ]; then - new_cmd=$(tail -n 1 "$history_file" 2>/dev/null | sed 's/^[ \t]*//;s/[ \t]*$//') - if [ -n "$new_cmd" ] && [ ${#new_cmd} -gt 1 ]; then - # 过滤简单命令 - case "$new_cmd" in - ls|cd|pwd|ll|history|exit|clear|cmdwatch|"."|"..") - continue - ;; - *) - client_ip=$(get_client_ip) - timestamp=$(date '+%Y-%m-%d %H:%M:%S') - log_entry="[$timestamp] 用户:$user | 命令:$new_cmd | 来源:$client_ip" - echo "$log_entry" >> "$LOG_FILE" - file_sizes["$user"]=$current_size - ;; - esac - fi - fi - done - sleep 1 - done - ) & - - echo $! > "$PID_FILE" - echo "✅ 监控已启动 (PID: $!)" -} - -# 命令处理 case "$1" in start) - init_system - if ! get_lock; then - echo "❌ 监控已经在运行中" - exit 1 - fi - - if is_running; then - echo "✅ 监控已在运行中" - release_lock - exit 0 - fi - - stop_all_monitors - start_monitoring - release_lock - ;; - - stop) - init_system - stop_all_monitors - echo "✅ 所有监控已停止" - ;; - - status) - init_system - if is_running; then - pid=$(cat "$PID_FILE") - echo "✅ 监控运行中 (PID: $pid)" - echo "📝 日志文件: $LOG_FILE" - echo "📊 日志行数: $(wc -l < "$LOG_FILE" 2>/dev/null || echo 0)" - else - echo "❌ 监控未运行" - fi - ;; - - view|logs) - init_system - if [ "$2" = "-f" ] || [ "$1" = "view" ]; then - if [ -f "$LOG_FILE" ]; then - tail -f "$LOG_FILE" - else - echo "暂无日志" - fi - else - if [ -f "$LOG_FILE" ]; then - tail -20 "$LOG_FILE" - else - echo "暂无日志" - fi - fi - ;; - - install) - init_system - stop_all_monitors - - # 设置开机自启动 - echo "设置开机自启动..." - (crontab -l 2>/dev/null | grep -v "cmdwatch"; echo "@reboot /usr/local/bin/cmdwatch start >/dev/null 2>&1") | crontab - - - # 设置命令别名 - echo "设置命令别名..." - sed -i '/alias cmdwatch=/d' ~/.bashrc - echo "alias cw='/usr/local/bin/cmdwatch view'" >> ~/.bashrc - - # 启动监控 - /usr/local/bin/cmdwatch start - - source ~/.bashrc - - echo "" - echo "🎉 安装完成!" - echo "========================" - echo "使用方法:" - echo " cw # 查看实时监控" - echo " cmdwatch view # 查看实时监控" - echo " cmdwatch status # 查看状态" - echo " cmdwatch stop # 停止监控" - echo " cmdwatch logs # 查看历史日志" - ;; - - clean) - echo "🧹 彻底清理所有监控系统..." - # 停止所有 - pkill -f "cmd_monitor" - pkill -f "monitor.sh" + # 停止其他监控 + pkill -f "cmdwatch" + pkill -f "monitor" pkill -f "mt" pkill -f "mon" - pkill -f "cmdwatch" - - # 清理文件 - rm -rf /root/monitor - rm -rf /root/install - rm -rf /root/.cmdwatch - rm -f /usr/local/bin/mt - rm -f /usr/local/bin/mon - rm -f /tmp/*monitor* - rm -f /tmp/cmd_monitor.* - - # 清理crontab - (crontab -l 2>/dev/null | grep -v -E "(monitor|cmd_monitor|mt|mon|cmdwatch)") | crontab - - - # 清理别名 - sed -i '/alias to=/d' ~/.bashrc - sed -i '/alias mon=/d' ~/.bashrc - sed -i '/alias mt=/d' ~/.bashrc - sed -i '/alias cw=/d' ~/.bashrc + # 设置实时history + echo 'export PROMPT_COMMAND="history -a; history -c; history -r"' >> ~/.bashrc source ~/.bashrc - echo "✅ 彻底清理完成" - ;; + # 启动监控 + ( + echo "监控启动: $(date)" > "$LOG" + declare -A sizes + + while true; do + for user in /home/* /root; do + [ -d "$user" ] || continue + history_file="$user/.bash_history" + [ -f "$history_file" ] || continue + + user_name=$(basename "$user") + current=$(stat -c%s "$history_file" 2>/dev/null || echo 0) + last=${sizes["$user_name"]:-0} + + if [ "$current" -gt "$last" ]; then + cmd=$(tail -n 1 "$history_file" 2>/dev/null | tr -d '\000-\037') + if [ -n "$cmd" ] && [ ${#cmd} -gt 1 ]; then + case "$cmd" in + ls|cd|pwd|ll|history|exit|clear|watchcmd|".") + continue + ;; + *) + ip="unknown" + [ -n "$SSH_CLIENT" ] && ip=$(echo "$SSH_CLIENT" | awk '{print $1}') + echo "[$(date '+%Y-%m-%d %H:%M:%S')] $user_name: $cmd (from: $ip)" >> "$LOG" + sizes["$user_name"]=$current + ;; + esac + fi + fi + done + sleep 1 + done + ) & + echo $! > "$PID" + echo "监控已启动" + ;; + stop) + pkill -f "watchcmd" + rm -f "$PID" + echo "监控已停止" + ;; + view) + if [ -f "$LOG" ]; then + tail -f "$LOG" + else + echo "暂无日志" + fi + ;; + status) + if [ -f "$PID" ] && ps -p $(cat "$PID") >/dev/null 2>&1; then + echo "监控运行中 (PID: $(cat "$PID"))" + else + echo "监控未运行" + rm -f "$PID" + fi + ;; + install) + # 设置开机启动 + (crontab -l 2>/dev/null; echo "@reboot /usr/local/bin/watchcmd start >/dev/null 2>&1") | crontab - + # 设置别名 + echo "alias wc='watchcmd view'" >> ~/.bashrc + source ~/.bashrc + # 启动 + watchcmd start + echo "安装完成! 使用 'wc' 查看监控" + ;; *) - echo "命令监控系统 (cmdwatch)" - echo "========================" - echo "使用方法:" - echo " cmdwatch start # 启动监控" - echo " cmdwatch stop # 停止监控" - echo " cmdwatch status # 查看状态" - echo " cmdwatch view # 实时查看" - echo " cmdwatch logs # 查看日志" - echo " cmdwatch install # 安装配置" - echo " cmdwatch clean # 彻底清理" - echo "" - echo "安装后使用: cw # 查看实时监控" + echo "使用: watchcmd [start|stop|view|status|install]" ;; esac EOF -# 给执行权限 -chmod +x /usr/local/bin/cmdwatch +chmod +x /usr/local/bin/watchcmd -# 安装并启动 -echo "安装唯一监控系统..." -cmdwatch install +# 安装并测试 +watchcmd install # 测试 -echo "测试监控系统..." -cw +wc