|
|
|
@ -10,12 +10,12 @@ Usage |
|
|
|
|
|
|
|
* Record session |
|
|
|
``` |
|
|
|
script -t /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript \ |
|
|
|
script -t /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript \ |
|
|
|
2> /tmp/foo/2013-09-11_18-47-45.user1.11931.timing |
|
|
|
``` |
|
|
|
* Replay session |
|
|
|
``` |
|
|
|
scriptreplay -t /tmp/foo/2013-09-11_18-47-45.user1.11931.timing \ |
|
|
|
scriptreplay -t /tmp/foo/2013-09-11_18-47-45.user1.11931.timing \ |
|
|
|
/tmp/foo/2013-09-11_18-47-45.user1.11931.typescript |
|
|
|
``` |
|
|
|
|
|
|
|
@ -127,29 +127,29 @@ The logged information can also be forwarded to secured logging servers using st |
|
|
|
* helpers/auditshell_create_sessionfiles |
|
|
|
* Set permission and owner |
|
|
|
``` |
|
|
|
chown root:root \ |
|
|
|
chown root:root \ |
|
|
|
/usr/local/bin/{scriptreplay,auditshell,auditshell_create_sessionfiles} |
|
|
|
chmod 755 \ |
|
|
|
chmod 755 \ |
|
|
|
/usr/local/bin/{scriptreplay,auditshel,auditshell_create_sessionfiles} |
|
|
|
``` |
|
|
|
* Patch an install custom "script" implementation |
|
|
|
``` |
|
|
|
cd helpers/ |
|
|
|
git clone git://git.kernel.org/pub/scm/utils/util-linux/util-linux.git |
|
|
|
cd util-linux.git |
|
|
|
patch -p0 < ../auditshell_script.patch |
|
|
|
./autogen.sh |
|
|
|
make |
|
|
|
cp script /usr/local/bin/ |
|
|
|
chown root:root /usr/local/bin/script |
|
|
|
chmod 755 /usr/local/bin/script |
|
|
|
cd helpers/ |
|
|
|
git clone git://git.kernel.org/pub/scm/utils/util-linux/util-linux.git |
|
|
|
cd util-linux.git |
|
|
|
patch -p0 < ../auditshell_script.patch |
|
|
|
./autogen.sh |
|
|
|
make |
|
|
|
cp script /usr/local/bin/ |
|
|
|
chown root:root /usr/local/bin/script |
|
|
|
chmod 755 /usr/local/bin/script |
|
|
|
``` |
|
|
|
* If you like: |
|
|
|
* Disable string escaping on system which are using rsyslogd (i.e. Ubuntu systems) |
|
|
|
* Redirect the auditshell logs to another logfile using syslog configuration |
|
|
|
* Change shell of user |
|
|
|
``` |
|
|
|
chsh -s /usr/local/bin/auditshell <user> |
|
|
|
chsh -s /usr/local/bin/auditshell <user> |
|
|
|
``` |
|
|
|
|
|
|
|
|
|
|
|
@ -159,11 +159,11 @@ Watch auditshell sessions |
|
|
|
* Start session, and execute commands |
|
|
|
* Extract session files |
|
|
|
``` |
|
|
|
/usr/local/bin/auditshell_create_sessionfiles /var/log/messages /tmp/foo |
|
|
|
/usr/local/bin/auditshell_create_sessionfiles /var/log/messages /tmp/foo |
|
|
|
``` |
|
|
|
* Replay session |
|
|
|
``` |
|
|
|
scriptreplay -t /tmp/foo/2013-09-11_18-47-45.user1.11931.timing \ |
|
|
|
scriptreplay -t /tmp/foo/2013-09-11_18-47-45.user1.11931.timing \ |
|
|
|
/tmp/foo/2013-09-11_18-47-45.user1.11931.typescript |
|
|
|
``` |
|
|
|
|
|
|
|
|
Marc Schoechlin
12 years ago