如何捕获任何用户在Unix / Linux中输入的所有命令？

Question

I would like to capture all the commands typed in Unix/Linux by any user. There are few alternatives like using script command or acct utility. But the problem with them is they dumb everything from the terminal to a file or just provide the summary of the commands. I am looking for a utility where it will provide me all the commands typed by any user with the arguments for the commands. Is it possible? Are there any alternatives like making a hook into system calls to get this?

Answer 1

I know this is old, but I think the script command might be what he was looking for?

> script my_output_file
Script started, file is my_output_file

http://www-users.cs.umn.edu/~gini/1901-07s/files/script.html

Answer 2

There seems to be quite a good article on shell auditing at http://administratosphere.wordpress.com/2011/05/20/logging-every-shell-command/ .

This considers things like reliability of user history files (and provides info on improving that), but also discusses explicit auditing features built into shells. It may be that whatever environment you're using doesn't have the shells compiled with auditing features enabled, but if you have the source and configuration for your builds available (as you would do at least for any Linux distribution), it shouldn't be too hard to enable the auditing feature while keeping rest of the configuration as it is in the default distribution.

What this approach still would leave open is the commands executed through some other command - or operating system functionality called from within some program. So, f.ex. if you have perl, or any other programming language interpreter available on the machine, while you possibly can audit the execution of perl, you cannot tell what the user had told the perl interpreter to do. On the other hand, even with shell auditing, I'm not certain whether the perl execution would be seen if it was executed f.ex. from within some editor (like vi) as a filter to process whatever had been written within the editor.

So, while shell auditing will provide you one layer of auditing, the gain is not that great unless your environment is really tightened against other paths of execution than the shell.

You should consider whether the users to be audited actually need shell access - and if not, provide them with something more limited, with auditing capabilities. A small text-based menu system, perhaps?

Answer 3

You can use Snoopy Logger

What it is: A simple library that inserts itself between process and execv/e() syscalls by means of LD preloading. It logs all executed commands to syslog.

What it is not: Security/auditing solution - it can be easily circumvented. It does not log built-in shell commands (as they are internal and when called, shell does not create new process - echo vs /bin/echo for example).

Disclosure: current snoopy maintainer here.

Answer 4

Grab the bash source. Add a logger around the exec invocation. Compile it. Run this as your first command after logging in.

Everything else really wants root powers.

Answer 5

Grab /home/victim/.bash_history or /home/victim/.config/fish/fish_history

These will let you see all bash and fish shell commands with args that ws entered by the user.

Answer 6

There is enabling audit, tty recording, hacks and free tools to do what you want, however, depending on the scale of the environment you are trying to control, you may be better off by using both Audit and products focused on dealing with the challenge you want to tackle. Some quite popular ones, used on a few financial services clients are [ Observe-IT , Centrify and PowerBroker

Hope this helps

Answer 7

For sporadic recording I usually run

ssh localhost | tee -a recorded-session.log

This works quite well.

Answer 8

The easiest way to solve this, is if you are root and in the position to change the system files by redirect the console itself that way:

If you use eg /bin/sh as default console, move it to /bin/hs and create a file like this under /bin/sh :

#!/bin/hs

ORIGSHELL=/bin/hs
LOGFILE=/var/log/whatyoulike

OPTIONS="$@"

USER=`whoami`
WEBUSER=web
WILD=NO
WARN=NO



if [ "$USER" = "$WEBUSER" ]
then

  #Ok then - are we doing something wild?
  for ARG in $@
  do
    case "$ARG" in
    *\/lynx)
      WILD=YES
      ;;
    *\/wget)
      WILD=YES
      WARN=YES
      ;;
    *\/curl)
      WILD=YES
      WARN=YES
      ;;
    *\/links)
      WILD=YES
      WARN=YES
      ;;
    *\/fetch)
      WILD=YES
      WARN=YES
      ;;
    esac
  done

  #Are we wild?
  if [ "$WILD" = "YES" ]
  then
    HOST=`hostname`
    IPADDR=`resolveip -s $HOST`
    NETSTAT=`/usr/bin/nighthawk -ape --numeric-hosts --numeric-ports --tcp | grep 'ESTABLISHED web'`

    # Log it.
    echo "`date` [$USER] $IPADDR "$@"" >> $LOGFILE
    echo "$NETSTAT" >> $LOGFILE
  fi
  #Are we REALLY wild?
  if [ "$WARN" = "YES" ]
  then
    # Mail it!
    mail -s 'HACKATTACK' youremail@domain.com < $LOGFILE &
  fi
fi

# Now, do it.
exec $OPERATION "$@"

#we never come here...
exit 0

This is just an example, how it can be used to track everything transparent. You can do what you want to check the input. The script above is used to find even the originator of the current shell, so you can react on it. Of course the above case checks are not the ones we really use ;) - but a good sample.

Hope it helps, Jimmy