I'm fairly new at bash scripting, but (for some reason) I've been tasked with building a bastion server and logging all (ssh/telnet) remote activity. Each session must create a unique log file - the name of each file must include the user ID, the connection method (ssh/telnet), the name of the remote host, and a time stamp.I have a basic bash script using the script command (see below).
Users authenticate through Active Directory (Winbind) and use a default lshell, local users do not need to be logged. My two questions are:
What's the best way to start and stop the script?
How do I capture the remote connection method (ssh or telnet) and the name of the remote host for the log file name?
This is what I have as a framework:
#!/bin/bash
# Capture keystrokes of a user and log
TIMESTAMP=$(date +%m%d%y%H%M%S)
HOST=$(hostname|cut -f1 -d.)
LOGDIR=/var/log/logging
LOGFILE=${HOST}.${LOGNAME}.${TIMESTAMP}
touch $LOGDIR/$LOGFILE
# Set Prompt
export PS1=.[$LOGNAME:$HOST]@..$PWD> .
chown $LOGNAME ${LOGDIR}/${LOGFILE}
chmod 600 ${LOGDIR}/${LOGFILE}
script ${LOGDIR}/${LOGFILE}
chmod 400 ${LOGDIR}/${LOGFILE}
What OS do you have? That will give us a better idea on howe to identify incoming ssh.
Usually it relates to the parent pid of the process being sshd.
IF you activate your script in the /etc/telnetrc file, you will catch all incoming telnet connections if you have it start logging
To actually log use the script command. It captures all keystrokes into a file
example for bash, ksh:
script /path/to/logs/${USER}.`date +%Y%m%d%H%M%S`
There is a problem with this - managers think this increases security, in fact, what it really does is eat up disk space. So monitor disk usage closely. Security is better served by preventing problems, rather than playing whodunit games after the fact.
Thanks for the reply. I'm running CentOS 5.7 right now on the bastion box. Basically, we want to have logs of user activity on remote devices that they connect to from the bastion. Everyone we want to log will authenticate to the bastion via Winbind. They're running lshell and are limited to 5 or 6 commands, including telnet and ssh. Ideally, I'd like to have the keystroke script start when the user runs 'ssh user@remotedevice.com', and the same with telnet. And then kill the script when they close the terminal.