[clug-talk] logging users sessions

smagnuson at forzani.com smagnuson at forzani.com
Thu Mar 17 15:01:01 PST 2005


Looks like we have found a tool that will work for logging user CLI sessions.  Thought I would share what we have done so far.

Our requirements:
Cross platform capable
Works with ssh (no X access)
Any command they type gets echoed to something like /var/log/......
We don't want this to be optional
We want this to work with multiple shells (sh, bash, ksh, etc)
The more transparent the better

http://people.consol.de/~lausser/rootsh/rootsh.html

we complied this and installed it.

cat /etc/profile
...
...
# if uid number does not = 0 or 10 or 300 then run logger script
if [[ ! "`id -u`" = "0" && ! "`id -u`" = "10" && ! "`id -u`" = "300" ]]; then
        /usr/local/sbin/logger
        exit
fi

cat /usr/local/sbin/logger
#!/usr/local/bin/bash

USER=`id -u -n`
SHELL=`grep $USER /etc/passwd | sed s/.*://`
DATE=`date '+%Y%m%d.%H%M%S'`
HOST=`hostname`
LOGPATH="/unix_data/log/rootfs"

if [[ $SHELL == "/usr/local/bin/bash" ]]
then
  PROFILE="${HOME}/.bash_profile"
else if [[ $SHELL == "/usr/bin/ksh" ]]
then
  PROFILE="${HOME}/.profile"
fi
fi

if [ -e "${PROFILE}" ]
then
  /usr/local/bin/rootsh -f $LOGPATH/$DATE.$HOST.$USER.script --no-syslog -- ". $PROFILE; $SHELL"
else
  /usr/local/bin/rootsh -f $LOGPATH/$DATE.$HOST.$USER.script --no-syslog -- "$SHELL"
fi


We are still testing it.  We have had it running for about 5 days on a AIX host and a Linux host.  Each login generates a new log file.  When they logout rootsh attaches a .closed to the end of the log file.  This makes for easier log rotations.

sig




-----Original Message-----
From: clug-talk-bounces at clug.ca [mailto:clug-talk-bounces at clug.ca]On
Behalf Of Magnuson, Sig
Sent: Wednesday, March 09, 2005 11:17 AM
To: clug-talk at clug.ca
Subject: [clug-talk] logging users sessions



I'm looking for a means to log user sessions.  Does anyone have any experience with this?  What software did you use to do it?

user ssh's in
any command they type gets echoed to something like /var/log/......
I don't want this to be optional
I want this to work with multiple shells (sh, bash, ksh, etc)

thanks
sig


Found the following but have yet to look at them on more detail.
http://people.consol.de/~lausser/rootsh/rootsh.html
http://sudosh.sourceforge.net/
http://www.egbok.com/sudoscript/
http://foosh.sourceforge.net/
http://e133.enemy.cx/xSH-paranoia/



_______________________________________________
clug-talk mailing list
clug-talk at clug.ca
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying



More information about the clug-talk mailing list