I need to be able to record all ssh sessions on my server. After fumbling around with pam.d auditd, I found this enter link description here. And it looks to be working pretty well. However, when you “clear” the screen, your session log gets wiped as well. Is is possible to open a new log file when this happens?
Here is the code it is asking to put in the /etc/profile file.
# Record terminal sessions. if [ "x$SESSION_RECORD" = "x" ] then timestamp=`date "+%m%d%Y%H%M"` output=/var/log/session/session.$USER.$$.$timestamp SESSION_RECORD=started export SESSION_RECORD script -t -f -q 2>${output}.timing $output exit fi
Advertisement
Answer
script
isn’t really designed for that use case. From the man page:
Script
works best with commands that do not manipulate the screen, the results are meant to emulate a hardcopy terminal.
This is incorrect, however:
when you “clear” the screen, your session log gets wiped as well.
Every character that is input or output is added to the log file, including the terminal codes which clear
uses to clear the screen. If you do a cat -v /var/log/session/session...
to show all non-printing characters, you will see all of the commands listed.