Skip to content
Advertisement

common profile to record ssh sessions

I need to be able to record all ssh sessions on my server. After fumbling around with pam.d auditd, I found this enter link description here. And it looks to be working pretty well. However, when you “clear” the screen, your session log gets wiped as well. Is is possible to open a new log file when this happens?

Here is the code it is asking to put in the /etc/profile file.

# Record terminal sessions.
if [ "x$SESSION_RECORD" = "x" ]
then
timestamp=`date "+%m%d%Y%H%M"`
output=/var/log/session/session.$USER.$$.$timestamp
SESSION_RECORD=started
export SESSION_RECORD
script -t -f -q 2>${output}.timing $output
exit
fi

Advertisement

Answer

script isn’t really designed for that use case. From the man page:

Script works best with commands that do not manipulate the screen, the results are meant to emulate a hardcopy terminal.

This is incorrect, however:

when you “clear” the screen, your session log gets wiped as well.

Every character that is input or output is added to the log file, including the terminal codes which clear uses to clear the screen. If you do a cat -v /var/log/session/session... to show all non-printing characters, you will see all of the commands listed.

User contributions licensed under: CC BY-SA
5 People found this is helpful
Advertisement