diff --git a/README.md b/README.md index 7344f58..c471e6e 100644 --- a/README.md +++ b/README.md @@ -2,52 +2,24 @@ scriptreplay_ng =============== Scriptreplay can be used to replay recorded session recorded by the linux/unix "script" tool. - - - -Installation of an audit shell ------------------------------- - -The following instructions describe the procedure how to install a audit shell in combination with -the scriptreplay utility. -Auditshell submits the typescript and the timings to syslog which prevents modification by terminal users. -The logged information can also be forwared to secured logging servers using standard syslog logfile distribution. - - * Install the following tools to /usr/local/bin - scriptreplay - helpers/auditshell - helpers/auditshell_create_sessionfiles - chown root:root /usr/local/bin/{scriptreplay,auditshell,auditshell_create_sessionfiles} - chmod 755 /usr/local/bin/{scriptreplay,auditshel,auditshell_create_sessionfiles} - * Patch an install custom "script" implementation - cd helpers/ - git clone git://git.kernel.org/pub/scm/utils/util-linux/util-linux.git - cd util-linux.git - patch -p0 < ../auditshell_script.patch - ./autogen.sh - make - cp script /usr/local/bin/ - chown root:root /usr/local/bin/script - chmod 755 /usr/local/bin/script - * If you like: - * Disable string escaping on system which are using rsyslogd (i.e. Ubuntu systems) - * Redirect the auditshell logs to another logfile using syslog configuration - * Change shell of user - chsh -s /usr/local/bin/auditshell +This project also provides tools to setup auditable shell sessions. Usage ----- - * Start session, and execute commands - * Extract session files - /usr/local/bin/auditshell_create_sessionfiles /var/log/messages /tmp/foo + * Record session + ``` +script -t /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript 2> /tmp/foo/2013-09-11_18-47-45.user1.11931.timing + ``` * Replay session ``` scriptreplay -t /tmp/foo/2013-09-11_18-47-45.user1.11931.timing /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript ``` -Documentation + + +Manpage ------------- ``` @@ -137,3 +109,57 @@ AUTHORS SEE ALSO script(1), bzcat(1), zcat(1), lzcat(1) ``` + + +Installation of "auditshell" +------------------------------ + +The following instructions describe the procedure how to install a audit shell in combination with +the scriptreplay utility. +Auditshell submits the typescript and the timings to syslog which prevents modification by terminal users. +The logged information can also be forwarded to secured logging servers using standard syslog logfile distribution. + + * Install the following tools to /usr/local/bin + * scriptreplay + * helpers/auditshell + * helpers/auditshell_create_sessionfiles + * Set permission and owner + ``` +chown root:root /usr/local/bin/{scriptreplay,auditshell,auditshell_create_sessionfiles} +chmod 755 /usr/local/bin/{scriptreplay,auditshel,auditshell_create_sessionfiles} + ``` + * Patch an install custom "script" implementation + ``` +cd helpers/ +git clone git://git.kernel.org/pub/scm/utils/util-linux/util-linux.git +cd util-linux.git +patch -p0 < ../auditshell_script.patch +./autogen.sh +make +cp script /usr/local/bin/ +chown root:root /usr/local/bin/script +chmod 755 /usr/local/bin/script + ``` + * If you like: + * Disable string escaping on system which are using rsyslogd (i.e. Ubuntu systems) + * Redirect the auditshell logs to another logfile using syslog configuration + * Change shell of user + ``` +chsh -s /usr/local/bin/auditshell + ``` + + +Watch auditshell sessions +------------------------- + + * Start session, and execute commands + * Extract session files + ``` +/usr/local/bin/auditshell_create_sessionfiles /var/log/messages /tmp/foo + ``` + * Replay session + ``` +scriptreplay -t /tmp/foo/2013-09-11_18-47-45.user1.11931.timing /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript + ``` + +