How do I record all terminal input and output to a local file by default for each session?
Solution 1
If your goal is to monitor the system, you want pam_tty_audit. As the name implies, pam_tty_audit is a pam module which when configured properly, is invoked any time a user opens a session (and gets a TTY). The module records all input & output, and sends everything it records to the auditd daemon. You can then execute queries against the auditd daemon to view the logs.
RedHat provides a nice guide on getting started with pam_tty_audit: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Configuring_PAM_for_Auditing.html
For distros not based on RedHat or Fedora, the guide still works, but might need slight tweaks for the filenames in /etc/pam.d/.
Note that it's not completely foolproof. There are ways to execute commands without a TTY. For example when connecting via ssh, you can do ssh foo.example.com bash -i, and because a command was specified, no TTY is allocated. Though there are things you can do to prevent this.
You also want to make sure access to the log is secured. pam_tty_audit records ALL TTY activity, this includes passwords you type in.
Solution 2
If you really want to, you could make a program (or shell script) which calls script writing to a timestamped "typescript" file (and in turn calling your real shell) and make that program your default shell in /etc/passwd.
There are a few pitfalls:
- you may have to add this program to
/etc/shells - doing this sets the
SHELLenvironment variable, which is used in various ways. Override that to avoid loops (and other misbehavior):
#!/bin/sh
SHELL=/bin/bash
export SHELL
script -c "$SHELL" $HOME/consoleOutput_$(whoami)_$(date +'%Y_%m_%d_%H_%M_%S_%N').txt
Related videos on Youtube
07 : 48
11 : 06
08 : 18
07 : 50
01 : 04
09 : 02
02 : 12
user208145
Updated on September 18, 2022Comments
-
user208145 over 1 year
I'm aware the
scriptcommand can be used to record all keyboard input and screen output to a file, but this has to be invoked each time a terminal session is started. I keep timestamped versions of my .bash_history files so old commands aren't lost after $HISTSIZE is reached. My $HISTFILE statement in .bashrc isHISTFILE=~/.bash_history_$(date '+%Y%m%d_%H_%M_%S_%N').txt. That satisfies my need to create a log of commands executed, but doesn't record the output to a file. Is there something I can put in .bashrc or .profile that will record all stdin input, and stdout & stderr output to a timestamped file? This would be handy to monitor user activity as well, but I just need it to reference in the future.EDIT: I found that if I put
script /ramdisk/consoleOutput_$(whoami)_$(date +'%Y_%m_%d_%H_%M_%S_%N').txt ; exitat the end of ~/.profile, for a test user, this behaved like I want.
The extra
;exitafter thescriptcommand exits from the terminal. Typing "exit" when the user is logged in exits thescriptsession. When that exits from ~/.profile, the extra "exit" then quits the SSH/terminal session. I plan on creating additional functionality which willchownthe file to root andchmod 600so only root can read it. From there, it'll be moved to a secure location.Furthermore, the coloring is visible with
catandmore. Opening it in an editor shows the control characters used to generate the color. I'm okay with that. -
user208145 almost 8 yearsI'll try that with a test user and see how well it works.
-
user208145 almost 8 yearsI put the following in an executable script
#!/bin/bashscript -a "/ramdisk/consoleOutput.txt"/bin/bashand as a login shell, it loops infinitely. I can kill it with Ctrl+C and typeexituntil all those loops have exited. I can execute the program after I already login and it works as intended. Did I not do something correct with the script? After that part is working, I'll add the timestamp feature. -
user208145 almost 8 yearsThanks. I don't want passwords showing up though.