Saturday, December 5, 2009

Logging interactive shell sessions to a file

Recently I wanted to find a way to log everything a user does when they log into my system. For example you have a vendor who might login to one of your systems in order to modify an application. You can see that they have logged in and might be able to find processes they are running using ps -ef… but what if you want a log of the entire session for a specific user.

Here is how we do it.

First I create a subdirectory under /tmp named watch which will be used for storing the log once the user exits the session. We also need to change permissions on the directory so that it is writeable by the account we want to monitor. In the following example I am using remoteuser for the user and remotegroup for the group. Modify these values to fit your needs.

watch-you@my-host > mkdir /tmp/watch
watch-you@my-host > chown remoteuser:remotegroup /tmp/watch/

Now we have the directory setup for the log file we need to put the magic into motion. I fumbled through attempting to set this up using the local users .profile and .bashrc but was running into all kinds of problems when a shell session was invoked. The solution was to put the code into the system wide profile which can be found at /etc/profile

open up /etc/profile with your favorite editor ( if you need to use sudo when opening the file ).

watch-you@my-host > sudo vi /etc/profile
skip to the bottom of the system profile and add the following lines at the very end.

if [ "$USER" == "remoteuser" ]
dte=`date +’%Y_%m_%d_%H_%M’`
export dte
/usr/bin/script -q /tmp/watch/$dte-session-$USER.txt && exit

This script checks to see if the current user is “remoteuser” (the one we want to monitor). If it is, then we setup a variable named dte with a timestamp and export it to the shell. Next, we call /usr/bin/script -q /tmp/watch/$dte-session-$USER.txt. This is where the magic happens. The script command is passed the -q (quiet) to supress the end user alert that script has been activated for this session. Next we pass the script command the full path to our log file. The reason for && exit at the end is due to the fact that when the user types exit wanting to leave the shell, the first time they type exit the system only exits the script command. This would alert the remoteuser that something fishy is going on. The && exit forces another exit command to be passed to the shell after the user exits the session. This allows us ( the paranoid system administrator) to avoid detection.

The user logs into the system and script is active. They run a few commands and logout. Once they logout the contents of thier terminal session is written to our file and left for us to review.

ssh remoteuser@my-host
watch-you@my-host > echo “WOW THATS NICE”
watch-you@my-host > exit

From another session cd into /tmp/watch and see if we have a file.

watch-you@my-host > cd /tmp/watch/
watch-you@my-host > ls

When we view the file we can see what the user was up to.

watch-you@my-host > more 2009_12_05_12_05-session-remoteuser.txt

watch-you@my-host > echo “WOW THATS NICE”
watch-you@my-host > exit

There you have it… a dirty way to track user sessions using the script command inside of /etc/profile

No comments:

Post a Comment