I would like to capture all the commands typed in Unix/Linux by any user. There are few alternatives like using script command or acct utility. But the problem with them is they dumb everything from the terminal to a file or just provide the summary of the commands. I am looking for a utility where it will provide me all the commands typed by any user with the arguments for the commands. Is it possible? Are there any alternatives like making a hook into system calls to get this?
Advertisement
Answer
There seems to be quite a good article on shell auditing at http://administratosphere.wordpress.com/2011/05/20/logging-every-shell-command/ .
This considers things like reliability of user history files (and provides info on improving that), but also discusses explicit auditing features built into shells. It may be that whatever environment you’re using doesn’t have the shells compiled with auditing features enabled, but if you have the source and configuration for your builds available (as you would do at least for any Linux distribution), it shouldn’t be too hard to enable the auditing feature while keeping rest of the configuration as it is in the default distribution.
What this approach still would leave open is the commands executed through some other command – or operating system functionality called from within some program. So, f.ex. if you have perl, or any other programming language interpreter available on the machine, while you possibly can audit the execution of perl, you cannot tell what the user had told the perl interpreter to do. On the other hand, even with shell auditing, I’m not certain whether the perl execution would be seen if it was executed f.ex. from within some editor (like vi) as a filter to process whatever had been written within the editor.
So, while shell auditing will provide you one layer of auditing, the gain is not that great unless your environment is really tightened against other paths of execution than the shell.
You should consider whether the users to be audited actually need shell access – and if not, provide them with something more limited, with auditing capabilities. A small text-based menu system, perhaps?