Log terminal commands and outputs quietly
There were a lot of approaches on how one can snoop on what one does on an opened terminal (TTY) session. This is just a quick tip, however, this will require the terminal to be already opened. This was initially suggested in Linux Users Group by Venu, then Jeremiah Bess decided to put it to practice also. Trying to help out Jeremiah, I reminded him of the “script” command as mentioned by Venu. Here’s what all the fuss is about.
You have an open terminal. Somebody might come in and use it while you are away. You can use the “script” command to leave a “booby trap” to trap all the commands entered as well as the output.
user@linux:~> script -a booby.log
Script started, file is booby.log
user@linux:~>
When you come back, you can turn off logging by typing:
user@linux:~> exit
Script done, file is booby.log
user@linux:~>
However, this will be quite noisy and will actually notify you that “script” is started or stopped and that it is logging to the specified file. Jeremiah wanted to prevent “script” from displaying notifications. It was also not obvious to me at first and I was obviously careless. A friend of mine, Sir Botp, suggested using the “-q” switch. I rechecked the man page of “script” and indeed there it was! Thanks to Sir Botp’s common sense and my carelessness (hehe), we can now keep “script” quiet.
user@linux:~> script -a -q booby.log
user@linux:~>
… (script is now logging silently. our unwitting user doesn’t know.) …
user@linux:~> exit
user@linux:~>
There are other ways that we can achieve this and perhaps more efficient than “script”. One method may give me “nose-bleed”. The method uses strace to actively monitor processes via the PID. You can find the discussions over at Insecure.org plus a Perl script that you can use to parse the strace log.
Another method is to use “screen”. Pretty much works like “script”, perhaps even more. J.P. Vossen discussed this at the Philadelphia Linux Users Group (PLUG) mailing list.
Its not as sophisticated as keyloggers, or strace. But might do the trick. But one caveat though. If the user is on a vi session, then you might end up with garbled data for that specific session. Once the user logs out of vi, then everything’s ok again. Also, “script” is not capable of handling nested logging like what screen can do. You can call “screen” within an actively logging “screen” session.
Regardless, “script” provides a very basic logging tool.
Technorati
: Linux, command, line, logging, terminal, tty, script, strace, screen, keylog,
Site Search Tags: Linux, command, line, logging, terminal, tty, script, strace, screen, keylog,