Friday, March 4, 2011

Logging terminal commands in *nix

Is there a way to log(/var/log) commands executed by users in the *nix terminal?

From stackoverflow
  • Dumb idea off the top of my head:

    script will copy the session to a file. You could send it to a named pipe which is being read by a logging process---only thing is, you'll get the output as well as the commands.

  • Assuming you're doing this for security purposes, take a look at process accounting. You didn't say which UNIX variant you're on, but for Linux, take a look at http://www.gnu.org/software/acct/ Beware that you will generate a lot of data as process accounting writes data about every command run system wide (its a kernel feature). Your distro probably has the utilities already; in Debian check the 'acct' package.

    If you're just trying to log what you did so you can go back and look at it later, script (as in the other answer) or screen (with -L) will provide a better solution. However, they will not work for security auditing because its trivial to bypass them: just run a shell script. Also, line editing makes a royal mess of the files. Curses apps (like, say, a text editor) are even worse.

    Also, if you force your users through e.g., script, you may wind up capturing information (e.g., email messages) which it may be illegal for you to intercept.

    dmckee : Ah. Someone who know what their talking about. Upvote.
    Jonathan Leffler : One more option - sudosh or other equivalents. Not sure that they provide much benefit compared to script, but probably worthy of mention.
  • Process accounting is the way to go, despite it sucking up lots of disk space. It's not something I'd leave running unless you have a very grunty box but it's very useful for problem solving since it basically tracks every process, a claim the simpler "snapshot of ps" tools can't match.

    You basically turn it on with accton /var/account/pacct and the kernel then writes details of every process that exits, including:

    • process name (not args, unfortunately).
    • start time.
    • elapsed time.
    • user and system CPU times.
    • exit code.
    • memory, I/O, fault and swap statistics.
    • process ID.
    • parent process ID.

    and a few other things.

    You shut it down with a naked accton so all you people who laughed at Windows for using a Start button to shut down, HAH !! :-)

    There are two variants of records that can be logged, v1 and v3 - make sure you're using the latest process accounting software and v3 records as they hold more useful information. The /usr/include/linux/acct.h file shows what you can get from there.

    The records are all fixed size (regardless of version) and easy to process.

    We've just recently finished a Linux agent for our performance monitoring software - I thought I'd jot this down while it's still fresh in my memory.

    One thing to watch out for are the comp_t fields - these are actually a weird exponent/mantissa type for holding a large range of values in 16 bits - the algorithm is pretty simple for turning it into a long:

    comp_t ct = ?;
    long val = (ct & 0x1fff) << (((ct >> 13) & 0x7) * 3);
    

    Another thing is that some values are in clock ticks, not seconds, so you have to divide by the value returned by sysconf (_SC_CLK_TCK).

0 comments:

Post a Comment