BhumiTat - Re-engineering with innovations - Automatically Record the Terminal Session Activity of All Users on Linux
This guide allows you to automatically record the terminal session activity of all users. I advise administrators to include this functionality as part of a security checklist on the mission critical
This guide allows you to automatically record the terminal session activity of all users.
I advise administrators to include this functionality as part of a security checklist on the mission critical server.
This will help you to fix the problem immediately if something goes wrong with the server by any user activity.
You can easily identify what he/she did by checking the specific user’s session activity file.
Also, it can help you get the command output whenever you want, or you can keep it for future reference.
By default everyone prefers the history command to review the previously entered commands in the terminal. Yes, it is good, but unfortunately it doesn’t show the output of previously executed commands.
This can be done using the script command. To do so, add the following script to the /etc/profile
file. It will automatically start recording the user’s terminal session whenever the user logs in.
What is script Command
Script is a UNIX command-line application that records a terminal session (in other words, it records everything that is displayed on your terminal).
It stores the output as text file in the current directory and the default filename is typescript
.
What is scriptreplay
This program replays a typescript, using timing information to ensure that output happens at the same speed as it originally appeared when the script was recorded.
How to Check if the script Command is Installed or not on Linux
The script is part of the Linux Core application and is already installed on most Linux distributions by default.
The script command is part of the “util-linux-ng” package on RHEL-based systems and the “bsdutils” package on Debian-based systems.
For RHEL based systems, use the rpm command
# rpm -qf /usr/bin/scriptutil-linux-2.32.1-8.el8.x86_64# rpm -qf /usr/bin/scriptreplayutil-linux-2.32.1-8.el8.x86_64
For Debian based systems, use the dpkg command
# dpkg -S /usr/bin/scriptbsdutils: /usr/bin/script# dpkg -S /usr/bin/scriptreplaybsdutils: /usr/bin/scriptreplay
What is /etc/profile file? And What’s their Use on Linux
The /etc/profile
file used to set global Linux system environment variables to the user’s shell. This file will be executed automatically whenever user enter the bash shell login. Open the “/etc/profile” file using your favorite text editor and add the code below.
# vi /etc/profile#Script to Record the User's Terminal Sessionif [ "x$session_record" = "x" ]thentimestamp=`date "+%m%d%Y%H%M"`output=/var/log/session/session.$USER.$$.$timestampsession_record=startedexport session_recordscript -t -f -q 2>${output}.timing $outputexitfi
Make sure that the output path /var/log/session
directory already exists on the system. If not, create it.
# mkdir /var/log/session
Change the /var/log/session
directory permission to 777
, which allows all users to write their session activity in the session directory. To learn more about Linux file permissions go to the following article.
# chmod 777 /var/log/session
How to Check if this Script Works as Expected?
All the prerequisites are done, we will run some commands in the terminal to check this experiment.
Let’s imagine that you have three users: daygeek
, magi
, and tanisha
. We will run some commands in each session to verify this test.
We run the following commands as daygeek
user.
$ uname -a$ arch$ hostname -I$ exit
We run the following commands as magi
user.
$ w$ date$ whoami$ cat /etc/centos-release$ exit
We run the following commands as tanisha
user.
$ rpm -q kernel$ history$ last reboot$ exit
We run the following commands as root
user.
# whoami# pwd# host 2daygeek.com# host magesh.co.in# exit
How to List Recorded Sessions on Linux Using the script Command
We have successfully executed some commands from all users session. Use the ls command to view recorded sessions (ls stands for list directory contents).
# ls -lh /var/log/sessiontotal 32K-rw-rw-r-- 1 daygeek daygeek 2.0K Jul 24 17:16 session.daygeek.26452.072420191715-rw-rw-r-- 1 daygeek daygeek 784 Jul 24 17:16 session.daygeek.26452.072420191715.timing-rw-rw-r-- 1 magi magi 835 Jul 24 17:14 session.magi.26394.072420191713-rw-rw-r-- 1 magi magi 591 Jul 24 17:14 session.magi.26394.072420191713.timing-rw-r--r-- 1 root root 957 Jul 24 17:18 session.root.26499.072420191717-rw-r--r-- 1 root root 864 Jul 24 17:18 session.root.26499.072420191717.timing-rw-rw-r-- 1 tanisha tanisha 555 Jul 24 17:20 session.tanisha.26545.072420191718-rw-rw-r-- 1 tanisha tanisha 528 Jul 24 17:20 session.tanisha.26545.072420191718.timing
Yes, all user’s terminal session operations are successfully registered and it was stored under the /var/log/session
directory.
How to View Recorded Sessions on Linux Using the script Command
I can say that everything went as expected without any problems, because it created all the users’ files.
Now, it’s time to look at all of the user’s recorded session data, one by one, to make sure the script captures everything we’ve implemented.
Find the daygeek
user’s session output.
# more session.daygeek.26452.072420191715Script started on Mon 24 Jul 2019 05:15:13 PM EDT[daygeek@vps1 ~]$ uname -aLinux vps1.daygeek.com 2.6.32-754.el6.x86_64 #1 SMP Tue Jun 19 21:26:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux[daygeek@vps1 ~]$ archx86_64[daygeek@vps1 ~]$ hostname -I66.70.189.137[daygeek@vps1 ~]$ exitexit
Find the magi
user’s session output.
# more session.magi.26394.072420191713Script started on Mon 24 Jul 2019 05:13:10 PM EDT[magi@vps1 ~]$ w17:13:13 up 3 days, 7:17, 4 users, load average: 0.00, 0.00, 0.00USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 103.5.134.167 17:00 4:13 0.29s 0.24s top -croot pts/1 103.5.134.167 17:09 27.00s 0.01s 0.01s -bashmagi pts/2 103.5.134.167 17:13 0.00s 0.00s 0.00s -bashmagi pts/3 - 17:13 0.00s 0.00s 0.00s w[magi@vps1 ~]$ dateMon Jul 24 17:13:24 EDT 2019[magi@vps1 ~]$ whoamimagi[magi@vps1 ~]$ cat /etc/centos-releaseCentOS release 6.10 (Final)[magi@vps1 ~]$ exitexit
Find the tanisha
user’s session output.
# more session.tanisha.26545.072420191718Script started on Mon 24 Jul 2019 05:18:49 PM EDT[tanisha@vps1 ~]$ rpm -q kernelkernel-2.6.32-754.el6.x86_64[tanisha@vps1 ~]$ history1 rpm -q kernel2 history[tanisha@vps1 ~]$ last rebootreboot system boot 2.6.32-696.6.3.e Fri Jul 21 09:55 - 17:20 (3+07:24)wtmp begins Fri Jul 21 09:54:02 2019[tanisha@vps1 ~]$ exitexit
Find the root
user’s session output.
# more session.root.26499.072420191717Script started on Mon 24 Jul 2019 05:17:41 PM EDT[root@vps1 ~]# whoamiroot[root@vps1 ~]# pwd/root[root@vps1 ~]# host 2daygeek.com2daygeek.com has address 104.27.157.1772daygeek.com has address 104.27.156.1772daygeek.com has IPv6 address 2400:cb00:2048:1::681b:9db12daygeek.com has IPv6 address 2400:cb00:2048:1::681b:9cb12daygeek.com mail is handled by 0 dc-7dba4d3ea8cd.2daygeek.com.[root@vps1 ~]# host magesh.co.inmagesh.co.in has address 103.212.204.46magesh.co.in mail is handled by 10 e46f668a62df45920a71fc97ebe479.pamx1.hotmail.com.[root@vps1 ~]# exitexit
All of the above output clearly show that everything is recorded without any problems.
How to Replay the Session Recorded Through scriptreplay Command
You can replay the recorded session with help of the scriptreplay command since the script has captured the timing file as well. To do so, run the file as mentioned below.
# scriptreplay --timing=session.daygeek.26452.072420191715.timing session.daygeek.26452.072420191715
Gopal
BhumiTat Technologies (OPC) Pvt. Ltd.
No comments yet. Login to start a new discussion Start a new discussion