# Record user shell activity



## bbzz (Mar 6, 2014)

Hi guys.

What would be the best way to record user shell activity, that is, whatever each user types in the console, even if logged to another box, needs to be recorded in a file. Is there an application which would do just that?

Kind regards.


----------



## SirDice (Mar 6, 2014)

Why exactly do you want to do this? It sounds suspiciously like keystroke logging.


----------



## kpa (Mar 6, 2014)

I doubt you'll find software level solutions for this on FreeBSD. On MS Windows maybe but not on any open source OS.


----------



## jrm@ (Mar 6, 2014)

The first thing that comes to mind is editing the source of the shell.  It might not be too difficult to use the shell's history code to have it write to a second file.  Depending on what exactly you want, you might also find this thread interesting.


----------



## SirDice (Mar 6, 2014)

The history of the shell only records locally typed commands, not the remote ones (they're logged in the history file of the remote machine).


----------



## Kiiski (Mar 6, 2014)

Maybe the watch command could do what you want? Combined with script perhaps?


----------



## ShelLuser (Mar 6, 2014)

The part of recording activity when logged onto another box is something I don't see happening. But personally I think the best way to record user activities on your own server is Security event auditing. You'll need to compile your kernel for that, but it provides you with a lot of fine-grained control (and options to monitor) that it becomes very easy to get a good overview as to what people are doing on your system.

And the part which I like best is that this approach provides a good balance between securing your environment and becoming too intrusive on your users.


----------



## bbzz (Mar 6, 2014)

The reason we need this, is because users log onto this box to log onto another router/switch/server to do their thing. These boxes can't differentiate between users, we need individual users to log into this box. This is why we need to monitor what is typed into another box from the local server.

I really need something simple, I don't have time to deal with this too much, although I'd like to.

Thanks for the suggestions so far.


----------



## bryn1u (Mar 7, 2014)

bbzz said:
			
		

> Hi guys.
> 
> What would be the best way to record user shell activity, that is, whatever each user types in the console, even if logged to another box, needs to be recorded in a file. Is there an application which would do just that ?
> 
> Kind Regards


Have you tried using _process accounting_? 



> Process accounting is a security method in which an administrator may keep track of system resources used and their allocation among users, provide for system monitoring, and minimally track a user's commands.
> 
> This indeed has both positive and negative points. One of the positives is that an intrusion may be narrowed down to the point of entry. A negative is the amount of logs generated by process accounting, and the disk space they may require. This section walks an administrator through the basics of process accounting.




```
# touch /var/account/acct
# chmod 600 /var/account/acct
# accton /var/account/acct
# echo 'accounting_enable="YES"' >> /etc/rc.conf
```

Link: http://www.freebsd.org/doc/handbook/security-accounting.html.


----------



## DavidMarec (Mar 7, 2014)

bbzz said:
			
		

> Hi guys.
> 
> What would be the best way to record user shell activity, that is, whatever each user types in the console, even if logged to another box, needs to be recorded in a file. Is there an application which would do just that ?
> Kind Regards



You may add the snp() device into the kernel and then, watch() the TTY you want:
`script nsa.log`
`watch ttyp5`

To identify the TTY used by one user, ask w().


----------



## bbzz (Mar 26, 2014)

Thanks guys. I tried both watch() and script() and it looks like that will be sufficient.

Now I need a way to automatically run these programs when each user logs in.

After a bit of searching I found recommendations for editing /etc/pam.d/login , but I didn't go far beyond that. Any recommendation on how to make sure these programs are ran and closed after user(s) log out?

Regards


----------



## bbzz (Mar 27, 2014)

So I tried to test pam_exec module, just to see if this works:


```
#!/bin/sh
[ "$PAM_TYPE" = "open_session" ] || exit 0
{
  echo "User: $PAM_USER"
  echo "Ruser: $PAM_RUSER"
  echo "Rhost: $PAM_RHOST"
  echo "Service: $PAM_SERVICE"
  echo "TTY: $PAM_TTY"
  echo "Date: `date`"
  echo "Server: `uname -a`"
} >> /var/log/user_logins.txt
```

And then linked this script to /etc/pam.d/login and /etc/pam.d/sshd:


```
session         optional        pam_exec.so /usr/local/bin/notify-login
```

It doesn't work. Any suggestions on this?

Regards


----------



## bbzz (Apr 4, 2014)

I've been working on this last few days, but I'm unable to get this to work.

Basically I'm forcing users to jail environment where they will ssh to another machine. I was also thinking of just turning on watch for all tty's user could log in and simply leave it on, rather than turn on/off when each user logs in/off.

There are two problems:

1) How can I force users to specific tty's for this?
2) I can't seem to run script in background (as a background job), it simply terminates and nothing gets logged.

Any suggestion ?

Thanks guys


----------



## bbzz (Apr 7, 2014)

BUMP.

Any chance watch and script could be run in the background? I tried with following script but it doesn't work:


```
#!/bin/sh
user=$PAM_USER
tty_line=$(/usr/bin/w -h | head -n1 | awk '{print $2}')
echo $user > /tmp/test.000
echo $tty_line >> /tmp/test.000
watch $tty_line &
script -a /var/log/siu_user_log/$user.log &
```


----------

