This article is an automatic translation of the article[71ca7ee8adefbc1e3c29] below.
https://qiita.com/speaktech/items/71ca7ee8adefbc1e3c29
In the first part, when you do"bad things I think"with the vim editor, I will show you how to create an inexhaustible world to be reported.
(In this case, reporting = log output, but actions can be changed as appropriate.)
** 2018/09/29 Update:
In order to record logs only when editing is added, we made the following corrections.
· Save file hash value to environment variable when opening file with vim
· Report only when the hash value at file open is different from the hashed value after editing **
Material
- vim Editor configuration file (/etc/vimrc)
- Shell script
The bad things I think
- Edit history file - Edit the command history is"bury the mistake in the dark"bad thing
- Edit the log file - Editing the log file is"to falsify the facts"Bad
How to create a world that is not easy
1. Put a trap in the vim editor
Add the setting below to the end of the vim editor's configuration file (/etc/vimrc).
The shell script (watchvim.sh) will now be executed ** when editing the file **.
Pass the file name (<afile>) you are editing, the hash value of the file (\$PREHASH), and the user name (\$USER) as arguments.
augroup watchvim
autocmd!
autocmd BufRead * silent :let $PREHASH = system('md5sum ' . expand('%:p') . ' | awk "{print \$1}"')
autocmd BufWritePost * silent !/etc/vimrc.d/watchvim.sh <afile> $PREHASH $USER
augroup END
Also, in preparation for users using the vi editor, register vim with syntax highlight turned off as vi's alias.
(** It is not only to notice that you are using the vim editor, but also to give consideration to users who do not want to use syntax highlighting **)
# Force users to use vim instead of vi
alias vi="vim -c ':syntax off'"
2. Put a shell script to log output when a specific file is edited
First of all, I will create a placement place
mkdir /etc/vimrc.d
Place the following shell script (watchvim.sh) and configuration file (watchvim.conf) in/etc/vimrc.d/.
#!/bin/bash
PROGNAME=$(basename $0)
PROGDIR=$(dirname $0)
CONFPATH="$PROGDIR/${PROGNAME%.*}.conf"
VERSION="1.1"
usage() {
echo "
Usage:
$PROGNAME [FILE] [FILEHASH] [USER]
Description:
$PROGNAMEは、vimで編集されたファイルの名前をログ出力するためのシェルスクリプトです。
/etc/vimrcから呼び出されることを想定しています。
同一ディレクトリに配置される${PROGNAME%.*}.confに記載されたファイル一覧を監視対象とします。
/etc/vimrcにおける使用例:
autocmd BufRead * silent :let $PREHASH = system('md5sum ' . expand('%:p') . ' | awk \"{print \$1}\"')
autocmd BufWritePost,FileWritePost * silent !/etc/vimrc.d/$PROGNAME <afile> \$PREHASH \$USER
Options:
--help, -h ヘルプを表示
--version, -v バージョン情報を表示"
exit 1
}
for OPT in "$@"
do
case "$OPT" in
'-h'|'--help' )
usage
exit 1
;;
'-v'|'--version' )
echo $VERSION
exit 1
;;
-* )
echo "$PROGNAME: illegal option -- '$(echo $1 | sed 's/^-*//')'" 1>&2
exit 1
;;
*)
if [[ ! -z "$1" ]] && [[ ! "$1" =~ ^-+ ]]; then
param+=( "$1" )
shift 1
fi
;;
esac
done
if [ ${#param[@]} -ne 3 ]; then
echo "$PROGNAME: 3 arguments is required." 1>&2
echo "Try '$PROGNAME --help' for more information." 1>&2
exit 1
fi
if [ ! -e $CONFPATH ]; then
echo -e "# Created by $PROGNAME
# This is the $PROGNAME configuration file.
# $PROGNAME watches only the files you specify below and logger who edits them
# when they are edited with Vim." > $CONFPATH 2>&1
fi
set -f
for FILEPATH in `grep -v "^#" $CONFPATH`;
do
EDITFILE=`readlink -f ${param[0]}`
if [[ $EDITFILE == $FILEPATH ]]; then
EXHASH=`md5sum $EDITFILE | awk '{ print $1 }'`
if [ ${param[1]} != $EXHASH ]; then
logger -p local0.warning -t "$PROGNAME" "$EDITFILE has been edited by ${param[2]}."
fi
break
fi
done
set +f
# Created by watchvim.sh
# This is the watchvim.sh configuration file.
# watchvim.sh watches only the files you specify with absolute path below and logger who edits them.
# when they are edited with Vim.
/var/log/*
*bash_history
Change the permission so that it can be run from any user.
chmod 755 /etc/vimrc.d/watchvim.sh
chmod 644 /etc/vimrc.d/watchvim.conf
This completes the preparation.
I tried a bad thing
- I tried to edit the history file
[badman@notkind ~]$ vim /home/badman/.bash_history
(It erased the file accidentally, so delete the history of rm command ...)
Sep 25 14:51:45 notkind watchvim.sh: /home/badman/.bash_history has been edited by badman.
It will remain in the log perfectly.
- I tried editing the log file
[badman@notkind ~]$ sudo vim /var/log/yum.log
(Since I added the package without permission with yum, I will tamper with the log ...)
Sep 25 14:54:33 notkind watchvim.sh: /var/log/yum.log has been edited by badman.
This will also remain in the log as perfectly.
The realization of the unfriendly world has come closer and closer.
A postcard
By writing the file name to the setting file (watchvim.conf), you can set the monitoring target freely. Wild cards can also be used.
If you are interested, please try using it.
~~ ※ Please note that when you execute": w"with the vim editor, it will judge that it was edited even if not editing anything in the specification · · ·. ~~
** * Fixed to be notified only when edit is added in 2018/09/29 update **
In the second part, we introduce the mechanism of change detection using shell script.
I think that polishing will take place in a world that is not easy because it is a mechanism that detects whether it is a vim editor or a sed command anyway after editing.
** Thank you very much for your continued reading until the end.
We are looking for ways to create a gentle world, so if you have recommendations on how to make it, please let me know! **