Automatically Record/Capture All Users Terminal Sessions Activity In Linux

I would advise administrators to add this activity as part of security on mission critical servers, which will help us to find the issue easily when we want to check the specific user session activity. So that you can identify what he/she had done, if anything happened wrongly on server.

Also, it will help you to get the command output whenever you want like, later sometime you want to investigate on this or future references.

By default everyone prefer history command to review the previously entered commands in terminal but unfortunately, that shows only the commands and doesn’t shows the commands output which was performed previously.

Suggested Read : Script – A Simple Command To Record Your Terminal Session Activity

It can be done using script command. Just add the script on /etc/profile file. It will automatically start recording user terminal sessions activity whenever user logged in.

What’s Script?

Script is a Unix command line utility that records a terminal session (in other terms, It’s record everything displayed on your terminal). It stores the output in the current directory as a text file and the default file name is typescript.

Script is one of the Linux core utility and by default pre-installed in most of the Linux distributions. The script command is part of the util-linux package.

How To Check Whether Scrip Command Installed Or Not?

The script command is part of the util-linux-ng package, so grep this package to confirm whether the script command installed or not in system.

For RPM based systems

$ yum info util-linux-ng
Installed Packages
Name        : util-linux-ng
Arch        : x86_64
Version     : 2.17.2
Release     : 12.28.el6
Size        : 5.9 M
Repo        : installed
From repo   : base
Summary     : A collection of basic system utilities
URL         :
License     : GPLv1+ and GPLv2 and GPLv2+ and LGPLv2+ and MIT and BSD with advertising and Public Domain
Description : The util-linux-ng package contains a large variety of low-level system
            : utilities that are necessary for a Linux system to function. Among
            : others, Util-linux contains the fdisk configuration tool and the login
            : program.

Alternatively we can use yum provides /usr/bin/script to get the details.

$ yum provides /usr/bin/script
util-linux-ng-2.17.2-12.28.el6.x86_64 : A collection of basic system utilities
Repo        : installed
Matched from:
Other       : Provides-match: /usr/bin/script

For DEB based systems

$ apt-cache policy util-linux
  Installed: 2.28.2-1ubuntu1.1
  Candidate: 2.28.2-1ubuntu1.2
  Version table:
     2.28.2-1ubuntu1.2 500
        500 yakkety-updates/main amd64 Packages
 *** 2.28.2-1ubuntu1.1 100
        100 /var/lib/dpkg/status
     2.28.2-1ubuntu1 500
        500 yakkety/main amd64 Packages

Why? We need to add /etc/profile file

/etc/profile file used to set Linux system wide environment variables on users shells. This file automatically executed whenever a bash login shell is entered. Just open the /etc/profile file using your favorite text editor and add the below code.

# vi /etc/profile

[#Record terminal sessions]
if [ "x$SESSION_RECORD" = "x" ]
timestamp=`date "+%m%d%Y%H%M"`
script -t -f -q 2>${output}.timing $output

Make sure the output path /var/log/session is already present on system. If no, create it.

# mkdir /var/log/session

Change the /var/log/session directory permission to 777 which allows all the users to write their activity in session directory.

# chmod 777 /var/log/session

How To Test This?

Everything in place, let’s do the testing to check whether the script is working as excepted or not?

Let’s imagine, we have three users daygeek, magi, and tanisha. Let’s run few commands on each terminal to check this experiment.

daygeek user session activity.

$ uname -a

$ arch

$ hostname -I

$ exit

magi user session activity.

$ w

$ date

$ whoami

$ cat /etc/centos-release

$ exit

tanisha user session activity.

$ rpm -q kernel

$ history

$ last reboot

$ exit

root user session activity.

# whoami

# pwd

# host

# host

# exit

Print The Recorded Sessions

We have successfully executed few commands an all users session, use LS (LS stands for List Directory Contents) command to print the recorded sessions.

# ls -lh
total 32K
-rw-rw-r-- 1 daygeek daygeek 2.0K Jul 24 17:16 session.daygeek.26452.072420171715
-rw-rw-r-- 1 daygeek daygeek  784 Jul 24 17:16 session.daygeek.26452.072420171715.timing
-rw-rw-r-- 1 magi    magi     835 Jul 24 17:14 session.magi.26394.072420171713
-rw-rw-r-- 1 magi    magi     591 Jul 24 17:14 session.magi.26394.072420171713.timing
-rw-r--r-- 1 root    root     957 Jul 24 17:18 session.root.26499.072420171717
-rw-r--r-- 1 root    root     864 Jul 24 17:18 session.root.26499.072420171717.timing
-rw-rw-r-- 1 tanisha tanisha  555 Jul 24 17:20 session.tanisha.26545.072420171718
-rw-rw-r-- 1 tanisha tanisha  528 Jul 24 17:20 session.tanisha.26545.072420171718.timing

Yes, all the user’s terminal sessions activity were recorded successfully and saved under /var/log/session directory.

Print All User’s Recorded Session Data

Everything went fine without any issues, we are going to print all the user’s recorded session data one by one to double confirm the script was done the job as expected.

daygeek user session output.

# more session.daygeek.26452.072420171715
Script started on Mon 24 Jul 2017 05:15:13 PM EDT
[[email protected] ~]$ uname -a
Linux 2.6.32-696.6.3.el6.x86_64 #1 SMP Wed Jul 12 14:17:22 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[[email protected] ~]$ arch
[[email protected] ~]$ hostname -I
[[email protected] ~]$ exit

magi user session output.

# more session.magi.26394.072420171713
Script started on Mon 24 Jul 2017 05:13:10 PM EDT
[[email protected] ~]$ w
 17:13:13 up 3 days,  7:17,  4 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              [email protected]   IDLE   JCPU   PCPU WHAT
root     pts/0    17:00    4:13   0.29s  0.24s top -c
root     pts/1    17:09   27.00s  0.01s  0.01s -bash
magi     pts/2    17:13    0.00s  0.00s  0.00s -bash
magi     pts/3    -                17:13    0.00s  0.00s  0.00s w
[[email protected] ~]$ date
Mon Jul 24 17:13:24 EDT 2017
[[email protected] ~]$ whoami
[[email protected] ~]$ cat /etc/centos-release
CentOS release 6.9 (Final)
[[email protected] ~]$ exit

tanisha user session output.

# more session.tanisha.26545.072420171718
Script started on Mon 24 Jul 2017 05:18:49 PM EDT
[[email protected] ~]$ rpm -q kernel
[[email protected] ~]$ history
    1  rpm -q kernel
    2  history
[[email protected] ~]$ last reboot
reboot   system boot  2.6.32-696.6.3.e Fri Jul 21 09:55 - 17:20 (3+07:24)

wtmp begins Fri Jul 21 09:54:02 2017
[[email protected] ~]$ exit

root user session output.

# more session.root.26499.072420171717
Script started on Mon 24 Jul 2017 05:17:41 PM EDT
[[email protected] ~]# whoami
[[email protected] ~]# pwd
[[email protected] ~]# host has address has address has IPv6 address 2400:cb00:2048:1::681b:9db1 has IPv6 address 2400:cb00:2048:1::681b:9cb1 mail is handled by 0
[[email protected] ~]# host has address mail is handled by 10
[[email protected] ~]# exit

The output clearly shows, all the user’s activity recorded properly without any issue.

Magesh Maruthamuthu

Love to play with all Linux distribution

You may also like...

Please support the site
By clicking any of these buttons you help our site to get better