How can you log every command typed

by

How can you log every command someone has entered into the shell?

I’m asking on both the basis of protecting yourself if you are logged into someone else’s server and something breaks, or if someone else is logged into your server (either intentionally or maliciously).

Even a novice can bypass history with unset history or create a new shell to hide their tracks.

I’m curious how the senior Linux admins track what commands have been entered or what changes made to the system.

Contents hide
Answers:
Method 1
Method 2

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Check out auditd. If you add

-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve

to /etc/audit/audit.rules every executed commands will be logged. See: https://whmcr.com/2011/10/14/auditd-logging-all-commands/

Then send it to a syslog server.

Method 2

You can use the script command. This command is not included in POSIX, but you’ll find it useful to store in a file all keystrokes as well as output and error messages. You can later view the file. If you are doing some important work and wish to keep a log of all your activities, you should invoke this command immediately after you log in:

$ script
Script started, file is typescript
$ _ Note that this is another shell–child of the login shell

The prompt returns and all your keystrokes (including the one used to backspace) that you now enter here get recorded in the file ‘typescript’. After your recording is over, you can terminate the session by entering exit.
Note: If you enter script filename, the session will be stored in the file filename rather than typescript, i.e, typescript is the default if no specific filename is specified.

You can now use cat filename or cat typescript, whichever the case may be, to view the recorded session.

If you wish to append a new session to an old file use:
script -a Appends the new session to typescript, same default rule applies here too

This is one way in which a system admin can keep track of the sessions. Hope it has been informative and useful. Cheers!


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x