using 'script' with sshd
my users like to delete their .bash_history files or just ln them to /dev/null. i am looking for a way to keep track of what they are doing regardless.
the best thing i have found so far is to use the script command to log all their keystrokes. the problem though is that if i add this into any of their .profile or related files, they will probably notice and remove it.
is there a way for sshd to automatically enter a user into a script session when they log in? i have been looking through man sshd_config but i don't see anything like that or for running commands right at login.... hm.
If you are afraid of them deleting this new keystroke script, then change the permissions on it so that they dont have the right to delete it. Also change the permissions on the bash_history file so that they cant delete that. If none of this sounds logical then explain to them a set of consequences that will happen if they delete their bash profile history.
i've already set their .bash_history to write only, but they've figured out how to clear it. i've also set .bash_history to chattr +au but i have a feeling they can get around that pretty easily as well. i have disabled all shells except for bash, but they could scp any shell they want into their chrooted environment so that it evades bash command logging entirely.
i'm looking for something that they won't even see, so they won't know to disable or get around it. my thought was that since the (unix standard) script command logs all keystrokes (including backspaces and special characters) entered into any program once inside of the script session, it would be a good way to make sure no funny business is going on. or at least to have some kind (at least marginally) reliable log to look at after an attempted/succeeded malicious activity.
True, well bury that script somewhere where you wont think they'll find it. I know you can get some keyloggers that run as a background process and are only able to be access when you hit a specific type of keystroke combinations liek ctrl-alt-t-u or something along those lines. You might want to just google for linux keyloggers and see what you can find. I know of a good one called KeyGhost which is an actual piece of hardware you plug into the keyboard and can access up to 12 months of a users typing logs, but it costs money, but I know there are some good free keyloggers for linux, just do a little searching
$ man script
The script utility makes a typescript of everything printed on your ter-
minal. It is useful for students who need a hardcopy record of an inter-
active session as proof of an assignment, as the typescript file can be
printed out later with lpr(1).
I'm writing this because I don't know if you understand that basically every unix based operating system already comes with this utility.
Alternatively though, taking your suggestion I have searched and found ttyrpld which is a kernel-level tty logger and doesn't require userland interaction of any kind to do its thing. This will probably be the solution for me.
So in the end, thank you very much!
Ah your welcome even though you did the footwork, I just offered my suggestion. I have found a good source for most of my answers I need I find at <Linux> - Google Search. Its great for finding linux solutions, or I use the search option with these forums, just to give you a few suggestions in case you have future problems.