Need to capture the commands fired on Linux

Question

I would like to capture all the commands fired by a user in a session. This is needed for the purpose of auditing.

I used some thing like below,

LoggedIn=`date +"%B-%d-%Y-%M:%H"`
HostName=`hostname`
UNIX_USER=`who am i | cut -d " " -f 1`
echo " Please enter a Change Request Number for which you are looging in : "
read CR_NUMBER
FileName=$HostName-$LoggedIn-$CR_NUMBER-$UNIX_USER
script $FileName

I have put this snippet in .profile file, so that as soon as the user logs in to a SU account this creates the file. The plan is to push this file to a central repository where an auditor can look into those files.

But there are couple of problems in this.

1. The "script" command spools all the data from the session, for example say, a user cats a property file, It appends all the data of the property file to the auditing file.

2. Unless user fires the 'exit' command, the data will not be spooled to auditing file, by any chance if user logs out with out firing exit command, the auditing file will be empty.

Is there any better solution for auditing ? History file is not an option since it does not tell me for which Change Request number ( internal to my organisation) the commands are fired. Is there any other way just capture only the commands fired but not the output ?

Some of the previous discussion are here and here

Answer 1

I think this software exactly matches your need:

• https://github.com/a2o/snoopy