How can you log every command typed
Solution 1
Check out auditd. If you add
-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve
to /etc/audit/audit.rules
every executed commands will be logged. See: https://whmcr.com/2011/10/14/auditd-logging-all-commands/
Then send it to a syslog server.
Solution 2
You can use the script command. This command is not included in POSIX, but you'll find it useful to store in a file all keystrokes as well as output and error messages. You can later view the file. If you are doing some important work and wish to keep a log of all your activities, you should invoke this command immediately after you log in:
$ script
Script started, file is typescript
$ _ Note that this is another shell--child of the login shell
The prompt returns and all your keystrokes (including the one used to backspace) that you now enter here get recorded in the file 'typescript'. After your recording is over, you can terminate the session by entering exit.
Note: If you enter script filename, the session will be stored in the file filename rather than typescript, i.e, typescript is the default if no specific filename is specified.
You can now use cat filename or cat typescript, whichever the case may be, to view the recorded session.
If you wish to append a new session to an old file use: script -a Appends the new session to typescript, same default rule applies here too
This is one way in which a system admin can keep track of the sessions. Hope it has been informative and useful. Cheers!
Related videos on Youtube
Tony Anderson
Automation Engineer Deving all of the Ops in Lehi, Utah. Primarily focused in: Puppet Chef Docker #SOreadytohelp
Updated on September 18, 2022Comments
-
Tony Anderson over 1 year
How can you log every command someone has entered into the shell?
I'm asking on both the basis of protecting yourself if you are logged into someone else's server and something breaks, or if someone else is logged into your server (either intentionally or maliciously).
Even a novice can bypass history with
unset history
or create a new shell to hide their tracks.I'm curious how the senior Linux admins track what commands have been entered or what changes made to the system.
-
EsmaeelE about 2 yearsAnother way to bypass bash history is to put leading space before command.
-
-
2rs2ts almost 8 yearsSurely
execve
is not the only syscall you need to log. Why notexecvp
as well? Orexecl
? etc. -
2rs2ts almost 8 yearsActually, I noticed that in the man page for
exec
it says that "Theexec()
family of functions replaces the current process image with a new process image. The functions described in this manual page are front-ends forexecve(2)
." So while I'm not sure aboutexecveat
I can feel assured about theexec
family. -
Martin Bories about 4 yearsFor people stumbling upon the broken link: security.blogoverflow.com/2013/01/…
-
Paul_Pedant almost 4 yearsThat is incredibly easy to subvert: (1) open
view
. (2) Execute any commands you like using:! sudo whatever
(3) exit view. (4) Tell the auditor you just looked at a data file, and in read-only mode anyway. Neither history nor script will tell on you. -
DeusXMachina over 3 yearsThis was a super helpful tip. I think this is great for when the actor you want to monitor isn't malicious - i.e. yourself, if you just want a log of everything conducted during a session. This can be handy in some heavy debugging sessions.
-
blaimi over 3 yearsyou can also make a look at tlog. it's not yet in debian (bugs.debian.org/cgi-bin/bugreport.cgi?bug=886927) but integrates very will into cockpit and is natively supported on redhat.
-
EsmaeelE about 2 yearsIn Debian 10, the config file will change constantly, use
/etc/audit/rules.d/audit.rules
instead.