Bash shell logging technique

In my previous post, Record command lines / terminal sessions on UNIX shell, we have seen the use of ‘script’ CLI to record terminal session on Unix (LINUX) platforms.
There are few other ways to monitor or logging user shell using rootsh, sudosh and ttyrec etc. However, in this post, we will utilize ‘script’ CLI to monitor or logging user’s command line shell. This is useful if you are hesitant to install any third party tool on your Unix box which is often a case in production environments.
It is fairly easy to invoke ‘script’ after user logs in. Just put following entry (colored in orange) in ‘/etc/profile’ file.
--------------------------Start Of Shell------------------------------------
ts:~# tail /etc/profile             test -x /usr/bin/faillog && /usr/bin/faillog
/usr/bin/script –a  /path/to/your/$USER.txt 2>&1

# End of /etc/profile
ts:~# --------------------------End Of Shell------------------------------------
Above Two lines at the end of ‘/etc/profile’ invokes ‘script’ CLI immediately after user logs into the machine and redirecting its logged shell output to “/path/to/your/<YourUserName>.txt file. So whatever user types or displayed at the shell prompt (terminal session) is logged automatically by default.
Be careful while utilizing this technique as once you log out and again login to the machine, your session will also get recorded immediately. So path to the file where terminal session is recorded should be carefully chosen and secured. Path specified above is for example purpose only. Considering this technique is also useful for spying or logging user shell or terminal sessions without requiring any third party tools, people securing their UNIX machines should take note of this point.
Do you use any other method to log your shell? Do let everyone know in comments below.

By Mandar

No comments:

Post a Comment

    Your valuable comments are welcome. (Moderated)