How do I record all terminal input and output to a local file by default for each session?
Solution 1
If your goal is to monitor the system, you want pam_tty_audit
. As the name implies, pam_tty_audit
is a pam module which when configured properly, is invoked any time a user opens a session (and gets a TTY). The module records all input & output, and sends everything it records to the auditd daemon. You can then execute queries against the auditd daemon to view the logs.
RedHat provides a nice guide on getting started with pam_tty_audit
: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Configuring_PAM_for_Auditing.html
For distros not based on RedHat or Fedora, the guide still works, but might need slight tweaks for the filenames in /etc/pam.d/
.
Note that it's not completely foolproof. There are ways to execute commands without a TTY. For example when connecting via ssh, you can do ssh foo.example.com bash -i
, and because a command was specified, no TTY is allocated. Though there are things you can do to prevent this.
You also want to make sure access to the log is secured. pam_tty_audit
records ALL TTY activity, this includes passwords you type in.
Solution 2
If you really want to, you could make a program (or shell script) which calls script
writing to a timestamped "typescript" file (and in turn calling your real shell) and make that program your default shell in /etc/passwd
.
There are a few pitfalls:
- you may have to add this program to
/etc/shells
- doing this sets the
SHELL
environment variable, which is used in various ways. Override that to avoid loops (and other misbehavior):
#!/bin/sh SHELL=/bin/bash export SHELL script -c "$SHELL" $HOME/consoleOutput_$(whoami)_$(date +'%Y_%m_%d_%H_%M_%S_%N').txt
Related videos on Youtube
user208145
Updated on September 18, 2022Comments
-
user208145 over 1 year
I'm aware the
script
command can be used to record all keyboard input and screen output to a file, but this has to be invoked each time a terminal session is started. I keep timestamped versions of my .bash_history files so old commands aren't lost after $HISTSIZE is reached. My $HISTFILE statement in .bashrc isHISTFILE=~/.bash_history_$(date '+%Y%m%d_%H_%M_%S_%N').txt
. That satisfies my need to create a log of commands executed, but doesn't record the output to a file. Is there something I can put in .bashrc or .profile that will record all stdin input, and stdout & stderr output to a timestamped file? This would be handy to monitor user activity as well, but I just need it to reference in the future.EDIT: I found that if I put
script /ramdisk/consoleOutput_$(whoami)_$(date +'%Y_%m_%d_%H_%M_%S_%N').txt ; exit
at the end of ~/.profile, for a test user, this behaved like I want.
The extra
;exit
after thescript
command exits from the terminal. Typing "exit" when the user is logged in exits thescript
session. When that exits from ~/.profile, the extra "exit" then quits the SSH/terminal session. I plan on creating additional functionality which willchown
the file to root andchmod 600
so only root can read it. From there, it'll be moved to a secure location.Furthermore, the coloring is visible with
cat
andmore
. Opening it in an editor shows the control characters used to generate the color. I'm okay with that. -
user208145 almost 8 yearsI'll try that with a test user and see how well it works.
-
user208145 almost 8 yearsI put the following in an executable script
#!/bin/bash
script -a "/ramdisk/consoleOutput.txt"
/bin/bash
and as a login shell, it loops infinitely. I can kill it with Ctrl+C and typeexit
until all those loops have exited. I can execute the program after I already login and it works as intended. Did I not do something correct with the script? After that part is working, I'll add the timestamp feature. -
user208145 almost 8 yearsThanks. I don't want passwords showing up though.