How to automatically record all your terminal sessions with script utility
If someone wants to record their terminal sessions automatically--including SSH sessions(!)--using the script
utility, here is how.
Add the following line at the end of .bashrc
in your home directory, or otherwise /etc/bash.bashrc
if you only want to record all users' sessions. We test for shell's parent process not being script
and then run script
.
For Linux:
test "$(ps -ocommand= -p $PPID | awk '{print $1}')" == 'script' || (script -f $HOME/$(date +"%d-%b-%y_%H-%M-%S")_shell.log)
For BSD and macOS, change script -f
to script -F
:
test "$(ps -ocommand= -p $PPID | awk '{print $1}')" == 'script' || (script -F $HOME/$(date +"%d-%b-%y_%H-%M-%S")_shell.log)
That's all!
Now when you open a new terminal you'll see:
Script started, file is /home/username/file_name.log
script
will write your sessions to a file in your home directory naming them something like 30-Nov-11_00-11-12_shell.log
as a result.
More customization:
- You can append your sessions to one large file rather than creating a new one for every session with
script -a /path/to/single_log_file
- You can adjust where the files are written to by changing the path after
script -f
(Linux) orscript -F
(BSD and macOS)
This answer assumes that you have script
installed, of course. On Debian-based distributions, script
is part of the bsdutils
package.
Although this question was asked by an individual wanting to record his own sessions, an alternative use case might be a system administrator who wants to keep track of what various users are doing.
I fear running
script
inside the system-widebashrc
might not be suitable in the case when users of the machine are reluctant to have recordings made of their sessions.Users who wish to remain incognito could bypass the logging by asking sshd to open a different shell (e.g.
zsh
) or runbash --rcfile ___
to prevent/etc/bash.bashrc
from being loaded.
An alternative approach
This guide from 2008 (archived) uses a different method to force script
to be run when a user logs in with ssh, which requires users to log in with a public/private key.
This is done by adding a script to the user's .ssh/authorized_keys
file, in front of the key:
command="/usr/local/sbin/log-session" ssh-dss AAAAB3NzaC1kc3MAAAEBAMKr1HxJz.....
The log-session
(archived) script then decides whether or not to run /usr/bin/script
to log this user's session.
exec script -a -f -q -c "$SSH_ORIGINAL_COMMAND" $LOGFILE
To prevent the user from removing the added command, the administrator will need to assume ownership of the user's authorized_keys
file.
chown root:root ~user/.ssh/authorized_keys
Unfortunately, this means the user won't be able to add any additional keys him/herself, or more importantly revoke the existing key if it is compromised, which is far from ideal.
Caveats
It is common for sshd's default configuration to allow users to perform SFTP over their ssh login. This offers a way for users to edit files without the changes being logged. If the administrator does not want users to be able to do that, then he should either enable some logging for SFTP, or disable the service. Although even then, users could still make unseen changes to files by running something like this in their terminal:
curl "http://users.own.server/server/new_data" > existing_file
It might be possible to monitor changes like that by using a copy-on-write filesystem that records all file history.
But a similar trick would allow a user to execute commands without them being logged:
curl "http://users.own.server/server/secret_commands_824" | sh
I don't know of any easy solutions to that. Possibilities might be:
- Logging all network data (and untangling it later).
- Logging all system calls.
This sort of thing might be possible with auditd.
But anyway...
It is unlikely that logging user sessions provides any real security for administrators. By default a user can only manipulate their own files, and cannot harm the system. If a malicious user did manage to escalate privileges, then he could disable logging and delete the logs (unless the administrator has configured logs to be stored on a separate machine, in an append-only fashion).
Administrators who do automatically log user sessions should probably inform the users that this is being done. In some jurisdictions, this form of data collection might violate data or privacy laws. And at the very least, it would be respectful to users to make them aware.
It is more likely that an administrator would be interested in logging the sessions of
sudo
users. That could perhaps be tackled in a different answer, or indeed a different question.
Instead of:
test "$(ps -ocommand= -p $PPID | awk '{print $1}')" == 'script' ||
I would use:
grep -qx "$PPID" <(pgrep -x "script") ||
The double-quotes aren't necessary in this case, but I tend to use them anyway as a standard practice. I definitely recommend using the "x" switch to both the grep and the pgrep, to avoid a rare-but-problematic match with substrings.