As a server administration you may need to record/save all user terminal activity, so that you can check and identify the problem, if anything happened wrong on server.
It can be done easily using script command. you can done this by adding below script to common “profile” file at /etc/profile. Now that is all automated process whenever any user logged in server the process will start and recorded all the terminal activity.
1) Find script command installed or not in server ?
Use the below command to find whether the package is installed or not.
root@cpanel [~]# yum list installed | grep util-linux-ng util-linux-ng.x86_64 2.17.2-12.24.el6
The output is clearly shows script package is already installed on server.
2) How to find out common profile file ?
Use the below command to find out common profile file.
find / -name "profile" /usr/share/cagefs/etc/profile /usr/local/rvglobalsoft/rvsubversion/profile
The common profile is located at /etc/profile.
3) How to add the below script to /etc/profile file ?
Just open the /etc/profile file using your favourite text editor and add the below code. Make sure the output location is already present if not you need to create it and the file should have full permission (Like 777) so that all the user activity can be written.
nano /usr/share/cagefs/etc/profile
You can add below code at the end of file:
# Record terminal sessions.
if [ "x$SESSION_RECORD" = "x" ]
then
timestamp=`date "+%m%d%Y%H%M"`
output=/var/log/session/session.$USER.$$.$timestamp
SESSION_RECORD=started
export SESSION_RECORD
script -t -f -q 2>${output}.timing $output
exit
fi4) Create the directory ?
Now, I’m going to create the folder called session at /var/log. So that all the activity recorded under session directory.
mkdir /var/log/session root@cpanel11-nl [/var/log]# ls -l total 518372 drwxr-xr-x 12 root root 4096 Aug 19 08:50 ./ drwxr-xr-x 27 root root 4096 Aug 16 02:18 ../ -rw------- 1 root root 14309 Mar 7 2015 anaconda.ifcfg.log -rw------- 1 root root 35534 Mar 7 2015 anaconda.log -rw------- 1 root root 188562 Mar 7 2015 anaconda.program.log -rw------- 1 root root 171850 Mar 7 2015 anaconda.storage.log -rw------- 1 root root 98626 Mar 7 2015 anaconda.syslog -rw------- 1 root root 80808 Mar 7 2015 anaconda.xlog -rw------- 1 root root 159817 Mar 7 2015 anaconda.yum.log drwxr-x--- 2 root root 4096 Aug 18 21:39 audit/ drwxr-xr-x 4 root wheel 4096 Jul 25 16:46 bandwidth/ -rw-r--r-- 2 root root 13111 Jul 7 04:14 boot.log -rw------- 1 root utmp 5376 Aug 12 13:10 btmp -rw------- 1 root utmp 2688 Jul 18 02:01 btmp-20160801 -rw-r--r-- 1 root root 22528 Aug 19 07:54 cagefs.log -rw-r--r-- 1 root root 23135 Jan 1 2016 cagefs.log-20160101 -rw-r--r-- 1 root root 24736 Feb 1 2016 cagefs.log-20160201 -rw-r--r-- 1 root root 27158 Mar 1 08:13 cagefs.log-20160301 -rw-r--r-- 1 root root 18835 Apr 1 09:37 cagefs.log-20160401 -rw-r--r-- 1 root root 28644 May 1 08:13 cagefs.log-20160501 -rw-r--r-- 1 root root 31271 Jun 1 08:17 cagefs.log-20160601 -rw-r--r-- 1 root root 35434 Jun 30 23:41 cagefs.log-20160701 -rw-r--r-- 1 root root 26223 Aug 1 02:17 cagefs.log-20160801 -rw-r--r-- 1 root root 5890 Aug 19 06:03 cagefs-update.log -rw------- 1 root root 312545869 Aug 19 08:52 chkservd.log -rw------- 1 clamav clamav 392439 Aug 19 02:11 clam-update.log -rw-r--r-- 1 root root 18447 Mar 7 2015 cldeploy.log -rw------- 1 root root 13315853 Jul 24 03:15 maillog-20160724 -rw------- 1 root root 12868372 Jul 31 03:25 maillog-20160731 -rw------- 1 root root 12285833 Aug 7 03:35 maillog-20160807 -rw------- 1 root root 12446233 Aug 14 03:33 maillog-20160814 -rw------- 1 root root 9465513 Aug 19 08:52 messages -rw------- 1 root root 15276153 Jul 24 03:15 messages-20160724 -rw------- 1 root root 15525716 Jul 31 03:25 messages-20160731 -rw------- 1 root root 43212485 Aug 7 03:35 messages-20160807 -rw------- 1 root root 15914235 Aug 14 03:33 messages-20160814 drwxr-xr-x 2 munin munin 4096 Oct 23 2015 munin/ -rw-r--r-- 1 root root 0 Nov 18 2015 nscd.log -rw------- 1 root root 71871 Mar 8 2015 quota_enable.log drwxr-xr-x 2 root root 4096 Aug 14 03:33 rkhunter/ -rw-r--r-- 1 root root 0 Aug 4 2015 rkhunter.log drwxr-xr-x 2 root root 4096 Aug 19 00:00 sa/ -rw------- 1 root root 20456 Aug 19 08:48 secure -rw------- 1 root root 16213 Jul 24 03:15 secure-20160724 -rw------- 1 root root 16342 Jul 31 03:25 secure-20160731 -rw------- 1 root root 46039 Aug 7 03:35 secure-20160807 -rw------- 1 root root 31438 Aug 14 03:33 secure-20160814 drwxr-xr-x 2 root root 4096 Aug 19 08:50 session/ -rw------- 1 root root 0 Aug 14 03:33 spooler
The above output clearly shows, the session directory created under /var/log. By default all the folder having only 755 file permission.
5) Change the directory permission from 755 to 777 ?
Now, I’m going to change the directory permission from 755 to 777. So that all the user can write their activity under session directory.
6) Login with some other users and do some activity in terminal ?
Now, I’m going login and doing some activity in all the terminal to check whether its working properly or not.
login as: sarawhite [email protected]'s password: Last login: Fri Aug 19 07:10:39 2016 from 103.8.113.180 [email protected] [~]# w 08:57:36 up 43 days, 4:44, 5 users, load average: 1.20, 0.91, 0.84 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT sarawhit pts/0 119.153.141.59 05:21 2:01 0.01s 0.01s -bash sarawhit pts/1 103.8.113.180 07:08 1:48m 0.01s 0.01s -bash sarawhit pts/2 119.153.141.59 08:57 0.00s 0.00s 0.00s w
7) Checking session has been recorded or not ?
Now, I’m going to check whether the session got recorded or not under /var/log/session.
root@cpanel [/var/log/session]# ls -la total 150 -rw-rw-r--. 1 sarawhit sarawhit 81 Aug 18 12:34 session.sarawhit.25769.021420141234 -rw-rw-r--. 1 sarawhit sarawhit 12 Aug 18 12:34 session.sarawhit.25769.021420141234.timing -rw-rw-r--. 1 sarawhit sarawhit 690 Aug 17 15:36 session.sarawhit.28250.021520141536 -rw-rw-r--. 1 sarawhit sarawhit 72 Feb 15 15:36 session.sarawhit.28250.021520141536.timing
The output clearly shows all the user’s terminal activity has been recorded.
8) I’m going to check recorded session data ?
Now, I’m going to check sarawhit user recorded session whether its captured the data or not.
root@cpanel [/var/log/session]# cat session.sarawhit.25769.021420141234 Script started on Fri 18 Feb 2014 15:36:31 IST sarawhit@cpanel [~]# w 15:36:33 up 18 days, 1:30, 5 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT sarawhit pts/0 219.91.219.14 14:48 22:18 0.01s 0.01s -bash
The output clearly shows, sarawhit user activity recorded properly without fail.