Originally posted by: bhimsingh

Hi Group ,

I am looking for script which can capture the users activities the moment user logged into the system and record all the commands and their output in some file . Could someone pls help me either in writing the script or if already has one , pls share it.

Thanks in advance.

Regards
Bhim

Originally posted by: SystemAdmin

How about putting "typescript" in their login profile.

r/
R

Originally posted by: GurpreetSingh

Hi Bhim,

Yes, its best idea to create typescript using script command.

Script -a logfile

Thanks & Regards,
Gurpreet Singh

Originally posted by: bhimsingh

Hi Gurdeep ,

yes, I started with script itself and added it into /etc/profile file . The moment user logs in it made a entry in the given file about the script is started but populate all the commands and their outputs into the file only when user exits , it is not realtime capturing into the file. It works perfectly fine in the case where users are leaving the system properly with exit command but some user close the terminal directly and I am worried their activities would not be captured in this file .

Codes addinto /etc/profile file :

dt1=`date +%d%m%y`
LOG=`whoami`
echo $LOG
FL_NAME=`who am i | awk -F " " '{print $1"."$NF}'`

if ; then
/usr/bin/script -a /var/msgs/$FL_NAME.$dt1
else

find /var/msgs/ -type f -mtime +60 -atime +60 -exec rm -f {} \;

fi
Any idea how to tackle this situation ?

Regards
Bhim

Originally posted by: brook k

Have you considered using mkfifo for the destination file then sending the fifo to the log file?

tempvar=$$
user="`logname`.$tempvar"
myfifo=/tmp/$user
/usr/bin/rm -rf $myfifo
/usr/bin/ksh -i "/usr/bin/script $myfifo"
cat $myfifo >/tmp/logdir/$user.log 2>&1 &
URL explaining it.

http://linuxshellaccount.blogspot.com/2008/07/using-screen-script-mkfifo-and.html

Originally posted by: Casey_B

I have always been one to support granular control of access to privileged accounts.
(Not just root, but db user accounts, etc)

I always supported logging all of those accesses, but it seems a bit over the top
to want to watch every command run by a user.

It seems that would create too many logs to review, and make it almost impossible
to find inappropriate activity.

Rather, if you are in a system where you are not able to trust users at all, then
I think a better method to secure the system would be approach the problem from the opposite direction:

Provide them with a menu script that only allows a limited number of commands to be run.

Just my opinion,
Good luck in your task,
Casey

Originally posted by: bhimsingh

Hi All ,

thanks for your valuable inputs with which it working as expected but as Casey rightly said , its generated huge logs which is cause both space issue as well as problem in getting the right info. It is possible to get only the commands run by user using the same method ( means script ) ? My objective to record all the commands run by user on any shell ( ksh/bash ) or even user switched another user , like root or someone else ?

I tried it with the following code , but it works till the time user don't switch to any other user .

================================================

LOG='who am i '
ME=$LOGNAME
(date;echo $ME;$LOG)|xargs >>/var/adm/logged_in
EDITOR=vi
export EDITOR

SUFF=`who am i | awk -F " " '{print $1"."$NF}'`
TTY=`tty`
export HISTTIMEFORMAT="%D%T - "
HISTFILE=$HOME/.sh_history.$SUFF
print -s "LOGIN - `date '+%m-%d-%e-%H:%M'` TTY=$TTY"
HISTSIZE=4098
export HISTFILE HISTSIZE
export ENV=$HOME/.kshrc

=========================================

Thoughts pls

Regards
Bhim

Originally posted by: MarkTaylor

Setting HISTFILE as detailed above is a good way, but ultimatley hackable especially if they also have root access .. I have seen various methods of doing this .. sudosh is one way, and again hackable with root access unless you ship the logs off to another system sucure syste, in realtime .. another decent way is to have a gateway system from which everyone logs into and then from there they log onto the other systems and you lock this system down and capture all the output from there shell and console output etc .. i.e. you write a wrapper for the login shell etc ..

HTH
Mark Taylor

Originally posted by: SystemAdmin

I think it is a naïve approach to log commands entered at the shell.

I regularly do things like

vi /tmp/runthis
sh /tmp/runthis

if you are anywhere near serious about capturing user activity look at the audit subsystem.

Originally posted by: Jack_

Hi All,
I've tried in the past to send all the commands executed by the user to syslog.
The performance degradation that it produce made to give up on the idea.
You can give a try and see if it works for you.
Please take a look on this thread:
https://www.ibm.com/developerworks/forums/click.jspa?searchID=-1&messageID=14289089

Originally posted by: MarkTaylor

You can capture all text returned to the users console with sudoh, you can even replay it to see exactly what is going on .. you have to lock it down though, but is ultimatley doable .. Audit, although has some pretty good benefits is usually overkill for most companies ..

Rgds
Mark Taylor