How to capture all the commands typed in Unix/Linu

2019-04-28 01:15发布

站内问答 / Linux
367 8 5

I would like to capture all the commands typed in Unix/Linux by any user. There are few alternatives like using script command or acct utility. But the problem with them is they dumb everything from the terminal to a file or just provide the summary of the commands. I am looking for a utility where it will provide me all the commands typed by any user with the arguments for the commands. Is it possible? Are there any alternatives like making a hook into system calls to get this?

标签: linux shell unix
举报
8条回答
萌系小妹纸
2楼-- · 2019-04-28 01:26

I know this is old, but I think the script command might be what he was looking for?

> script my_output_file
Script started, file is my_output_file

http://www-users.cs.umn.edu/~gini/1901-07s/files/script.html

查看更多
0人赞 添加讨论(0) 举报
我命由我不由天
3楼-- · 2019-04-28 01:26

You can use Snoopy Logger

What it is: A simple library that inserts itself between process and execv/e() syscalls by means of LD preloading. It logs all executed commands to syslog.

What it is not: Security/auditing solution - it can be easily circumvented. It does not log built-in shell commands (as they are internal and when called, shell does not create new process - echo vs /bin/echo for example).

Disclosure: current snoopy maintainer here.

查看更多
0人赞 添加讨论(0) 举报
地球回转人心会变
4楼-- · 2019-04-28 01:27

Grab the bash source. Add a logger around the exec invocation. Compile it. Run this as your first command after logging in.

Everything else really wants root powers.

查看更多
0人赞 添加讨论(0) 举报
甜甜的少女心
5楼-- · 2019-04-28 01:29

For sporadic recording I usually run

ssh localhost | tee -a recorded-session.log

This works quite well.

查看更多
0人赞 添加讨论(0) 举报
在下西门庆
6楼-- · 2019-04-28 01:36

The easiest way to solve this, is if you are root and in the position to change the system files by redirect the console itself that way:

If you use e.g. /bin/sh as default console, move it to /bin/hs and create a file like this under /bin/sh:

#!/bin/hs

ORIGSHELL=/bin/hs
LOGFILE=/var/log/whatyoulike

OPTIONS="$@"

USER=`whoami`
WEBUSER=web
WILD=NO
WARN=NO



if [ "$USER" = "$WEBUSER" ]
then

  #Ok then - are we doing something wild?
  for ARG in $@
  do
    case "$ARG" in
    *\/lynx)
      WILD=YES
      ;;
    *\/wget)
      WILD=YES
      WARN=YES
      ;;
    *\/curl)
      WILD=YES
      WARN=YES
      ;;
    *\/links)
      WILD=YES
      WARN=YES
      ;;
    *\/fetch)
      WILD=YES
      WARN=YES
      ;;
    esac
  done

  #Are we wild?
  if [ "$WILD" = "YES" ]
  then
    HOST=`hostname`
    IPADDR=`resolveip -s $HOST`
    NETSTAT=`/usr/bin/nighthawk -ape --numeric-hosts --numeric-ports --tcp | grep 'ESTABLISHED web'`

    # Log it.
    echo "`date` [$USER] $IPADDR "$@"" >> $LOGFILE
    echo "$NETSTAT" >> $LOGFILE
  fi
  #Are we REALLY wild?
  if [ "$WARN" = "YES" ]
  then
    # Mail it!
    mail -s 'HACKATTACK' youremail@domain.com < $LOGFILE &
  fi
fi

# Now, do it.
exec $OPERATION "$@"

#we never come here...
exit 0

This is just an example, how it can be used to track everything transparent. You can do what you want to check the input. The script above is used to find even the originator of the current shell, so you can react on it. Of course the above case checks are not the ones we really use ;) - but a good sample.

Hope it helps, Jimmy

查看更多
0人赞 添加讨论(0) 举报
姐就是有狂的资本
7楼-- · 2019-04-28 01:42

There is enabling audit, tty recording, hacks and free tools to do what you want, however, depending on the scale of the environment you are trying to control, you may be better off by using both Audit and products focused on dealing with the challenge you want to tackle. Some quite popular ones, used on a few financial services clients are [Observe-IT, Centrify and PowerBroker

Hope this helps

查看更多
0人赞 添加讨论(0) 举报
1 2 下一页
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)