In this article I'll talk about two methods to record & replay terminal activity for commands executed as root user & replay the session at a later time.
Sudo command logging is not enabled by default. To enable it add the following entries in /etc/sudoers file:
Here is a sample entry for users test & test1 in /etc/sudoers file:
Defaults:test,test1 log_output
Defaults:test,test1 log_input
Defaults iolog_dir=/var/log/sudo-io/%{user}
- Method 1: Update required entries in sudoers file & replay the session using sudoreplay.
- Method 2: Use sudosh as a shell to record sessions and replay them with sudosh-replay.
Method 1: Using sudo/sudoreplay:
Sudo command logging is not enabled by default. To enable it add the following entries in /etc/sudoers file:
- log_output
- log_input
- iolog_dir
Here is a sample entry for users test & test1 in /etc/sudoers file:
Defaults:test,test1 log_output
Defaults:test,test1 log_input
Defaults iolog_dir=/var/log/sudo-io/%{user}
- log_output : log command output activity
- log_input: log command input activity
- ilog_dir: path to save session output
That's it. The next time the user logs in & executes command with sudo privileges, they will be logged & saved in /var/log/sudo-io/<user name> file.
Method 2: Using sudosh
The source code for sudosh can be obtained from github & is compatible with a wide range of *nix platforms. Sudosh was designed specifically to be used in conjunction with sudo or by itself as a login shell.
Installation:
Download the source code from githhub. Compile & install the package:
1) ./configure
2) make
3) make install
4) sudosh -i
Usage:
To start logging via sudosh type the following command:
#sudo /usr/local/bin/sudosh
You can also add an entry in /etc/sudoers file as follows (example taken from README file):
-- /etc/sudoers begin --
User_Alias ADMINS=admin1,admin2,admin3
User_Alias DBAS=dba1,dba2,dba3
Cmnd_Alias SUDOSH=/usr/local/bin/sudosh
ADMINS ALL=SUDOSH
DBAS ALL=(oracle)/usr/local/bin/sudosh
To start a sudosh logging session type /usr/local/bin/sudosh or sudo /usr/local/bin/sudosh on the command line & it'll start logging your session. To stop logging type exit.
The session logs get saved in /var/log/sudosh:
[root@centdb ttyrec-1.0.8]# ls -l /var/log/sudosh
total 24
-rw------- 1 root root 714 Sep 21 21:48 root-root-script-1474519688-QGv8iZ9sXKhs830a
-rw------- 1 root root 371 Sep 21 21:48 root-root-time-1474519688-QGv8iZ9sXKhs830a
-rw------- 1 test1 test1 380 Sep 22 01:24 root-test1-script-1474532682-LmbZCWgpi5xXBrrc
-rw------- 1 test1 test1 338 Sep 22 01:24 root-test1-time-1474532682-LmbZCWgpi5xXBrrc
-rw------- 1 test test 617 Sep 21 21:53 root-test-script-1474519973-Y9mXUS3t2UY4wzl9
-rw------- 1 test test 172 Sep 21 21:53 root-test-time-1474519973-Y9mXUS3t2UY4wzl9
To replay a session, first type sudosh-replay on the command line to get a list of available sessions.
[root@centdb ttyrec-1.0.8]# sudosh-replay
Date Duration From To ID
==== ======== ==== == ==
09/21/2016 21:48:08 22s root root root-root-1474519688-QGv8iZ9sXKhs830a
09/21/2016 21:52:53 8s root test root-test-1474519973-Y9mXUS3t2UY4wzl9
09/22/2016 01:24:42 10s root test1 root-test1-1474532682-LmbZCWgpi5xXBrrc
Usage: sudosh-replay ID [MULTIPLIER] [MAXWAIT]
See 'sudosh-replay -h' for more help.
Example: sudosh-replay root-test1-1474532682-LmbZCWgpi5xXBrrc 1 2
Then from the ID column select the session you want to play & replay the session by typing sudosh followed by ID as in the example below:
[root@centdb ttyrec-1.0.8]# sudosh-replay root-test1-1474532682-LmbZCWgpi5xXBrrc
This will replay the recording of the session.
Demo:
No comments:
Post a Comment