How to Automatically Record the Terminal Session Activity of All Users on Linux

Some time ago, we wrote an article to record the Linux terminal session activity using the script command.

Today also, we are going to discuss the same topic.

But this tutorial allows you to automatically record the terminal session activity of all users.

I advise administrators to include this functionality as part of a security checklist on the mission critical server.

This will help you to fix the problem immediately if something goes wrong with the server by any user activity.

You can easily identify what he/she did by checking the specific user’s session activity file.

Also, it can help you get the command output whenever you want, or you can keep it for future reference.

By default everyone prefers the history command to review the previously entered commands in the terminal. Yes, it is good, but unfortunately it doesn’t show the output of previously executed commands.

This can be done using the script command. To do so, add the following script to the /etc/profile file. It will automatically start recording the user’s terminal session whenever the user logs in.

What is script Command

Script is a UNIX command-line application that records a terminal session (in other words, it records everything that is displayed on your terminal).

It stores the output as text file in the current directory and the default filename is typescript.

What is scriptreplay

This program replays a typescript, using timing information to ensure that output happens at the same speed as it originally appeared when the script was recorded.

How to Check if the script Command is Installed or not on Linux

The script is part of the Linux Core application and is already installed on most Linux distributions by default.

The script command is part of the “util-linux-ng” package on RHEL-based systems and the “bsdutils” package on Debian-based systems.

For RHEL based systems, use the rpm command

# rpm -qf /usr/bin/script
util-linux-2.32.1-8.el8.x86_64

# rpm -qf /usr/bin/scriptreplay
util-linux-2.32.1-8.el8.x86_64

For Debian based systems, use the dpkg command

# dpkg -S /usr/bin/script
bsdutils: /usr/bin/script

# dpkg -S /usr/bin/scriptreplay
bsdutils: /usr/bin/scriptreplay

What is /etc/profile file? And What’s their Use on Linux

The /etc/profile file used to set global Linux system environment variables to the user’s shell. This file will be executed automatically whenever user enter the bash shell login. Open the “/etc/profile” file using your favorite text editor and add the code below.

# vi /etc/profile

#Script to Record the User's Terminal Session
if [ "x$session_record" = "x" ]
then
timestamp=`date "+%m%d%Y%H%M"`
output=/var/log/session/session.$USER.$$.$timestamp
session_record=started
export session_record
script -t -f -q 2>${output}.timing $output
exit
fi

Make sure that the output path /var/log/session directory already exists on the system. If not, create it.

# mkdir /var/log/session

Change the /var/log/session directory permission to 777, which allows all users to write their session activity in the session directory. To learn more about Linux file permissions go to the following article.

# chmod 777 /var/log/session

How to Check if this Script Works as Expected?

All the prerequisites are done, we will run some commands in the terminal to check this experiment.

Let’s imagine that you have three users: daygeek, magi, and tanisha. We will run some commands in each session to verify this test.

We run the following commands as daygeek user.

$ uname -a

$ arch

$ hostname -I

$ exit

We run the following commands as magi user.

$ w

$ date

$ whoami

$ cat /etc/centos-release

$ exit

We run the following commands as tanisha user.

$ rpm -q kernel

$ history

$ last reboot

$ exit

We run the following commands as root user.

# whoami

# pwd

# host 2daygeek.com

# host magesh.co.in

# exit

How to List Recorded Sessions on Linux Using the script Command

We have successfully executed some commands from all users session. Use the ls command to view recorded sessions (ls stands for list directory contents).

# ls -lh /var/log/session
total 32K
-rw-rw-r-- 1 daygeek daygeek 2.0K Jul 24 17:16 session.daygeek.26452.072420191715
-rw-rw-r-- 1 daygeek daygeek  784 Jul 24 17:16 session.daygeek.26452.072420191715.timing
-rw-rw-r-- 1 magi    magi     835 Jul 24 17:14 session.magi.26394.072420191713
-rw-rw-r-- 1 magi    magi     591 Jul 24 17:14 session.magi.26394.072420191713.timing
-rw-r--r-- 1 root    root     957 Jul 24 17:18 session.root.26499.072420191717
-rw-r--r-- 1 root    root     864 Jul 24 17:18 session.root.26499.072420191717.timing
-rw-rw-r-- 1 tanisha tanisha  555 Jul 24 17:20 session.tanisha.26545.072420191718
-rw-rw-r-- 1 tanisha tanisha  528 Jul 24 17:20 session.tanisha.26545.072420191718.timing

Yes, all user’s terminal session operations are successfully registered and it was stored under the /var/log/session directory.

How to View Recorded Sessions on Linux Using the script Command

I can say that everything went as expected without any problems, because it created all the users’ files.

Now, it’s time to look at all of the user’s recorded session data, one by one, to make sure the script captures everything we’ve implemented.

Find the daygeek user’s session output.

# more session.daygeek.26452.072420191715
Script started on Mon 24 Jul 2019 05:15:13 PM EDT

[daygeek@vps1 ~]$ uname -a
Linux vps1.daygeek.com 2.6.32-754.el6.x86_64 #1 SMP Tue Jun 19 21:26:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

[daygeek@vps1 ~]$ arch
x86_64

[daygeek@vps1 ~]$ hostname -I
66.70.189.137

[daygeek@vps1 ~]$ exit
exit

Find the magi user’s session output.

# more session.magi.26394.072420191713
Script started on Mon 24 Jul 2019 05:13:10 PM EDT

[magi@vps1 ~]$ w
 17:13:13 up 3 days,  7:17,  4 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    103.5.134.167    17:00    4:13   0.29s  0.24s top -c
root     pts/1    103.5.134.167    17:09   27.00s  0.01s  0.01s -bash
magi     pts/2    103.5.134.167    17:13    0.00s  0.00s  0.00s -bash
magi     pts/3    -                17:13    0.00s  0.00s  0.00s w

[magi@vps1 ~]$ date
Mon Jul 24 17:13:24 EDT 2019

[magi@vps1 ~]$ whoami
magi

[magi@vps1 ~]$ cat /etc/centos-release
CentOS release 6.10 (Final)

[magi@vps1 ~]$ exit
exit

Find the tanisha user’s session output.

# more session.tanisha.26545.072420191718
Script started on Mon 24 Jul 2019 05:18:49 PM EDT

[tanisha@vps1 ~]$ rpm -q kernel
kernel-2.6.32-754.el6.x86_64

[tanisha@vps1 ~]$ history
    1  rpm -q kernel
    2  history

[tanisha@vps1 ~]$ last reboot
reboot   system boot  2.6.32-696.6.3.e Fri Jul 21 09:55 - 17:20 (3+07:24)

wtmp begins Fri Jul 21 09:54:02 2019

[tanisha@vps1 ~]$ exit
exit

Find the root user’s session output.

# more session.root.26499.072420191717
Script started on Mon 24 Jul 2019 05:17:41 PM EDT
[root@vps1 ~]# whoami
root

[root@vps1 ~]# pwd
/root

[root@vps1 ~]# host 2daygeek.com
2daygeek.com has address 104.27.157.177
2daygeek.com has address 104.27.156.177
2daygeek.com has IPv6 address 2400:cb00:2048:1::681b:9db1
2daygeek.com has IPv6 address 2400:cb00:2048:1::681b:9cb1
2daygeek.com mail is handled by 0 dc-7dba4d3ea8cd.2daygeek.com.

[root@vps1 ~]# host magesh.co.in
magesh.co.in has address 103.212.204.46
magesh.co.in mail is handled by 10 e46f668a62df45920a71fc97ebe479.pamx1.hotmail.com.

[root@vps1 ~]# exit
exit

All of the above output clearly show that everything is recorded without any problems.

How to Replay the Session Recorded Through scriptreplay Command

You can replay the recorded session with help of the scriptreplay command since the script has captured the timing file as well. To do so, run the file as mentioned below.

# scriptreplay --timing=session.daygeek.26452.072420191715.timing session.daygeek.26452.072420191715

About Magesh Maruthamuthu

Love to play with all Linux distribution

View all posts by Magesh Maruthamuthu

18 Comments on “How to Automatically Record the Terminal Session Activity of All Users on Linux”

  1. This user monitor terminal record script after putting in /etc/profile, Will it effect users .bash_profile

  2. I wrote pypty, which is basically script(1) in Python. The chief advantage is that it supports a “dated files mode”, so if you leave a tty open overnight, a new file will be started named by the current date. The distribution also includes script-replay, which allows you to view logs from pypty or script(1), and allows you to move forward and backward through time. It’s at http://stromberg.dnsalias.org/~strombrg/pypty/

  3. Little bit busy with server migration.

    Did you enabled the sudo access on the server ?

    If so, disable sudo access and enable the root user login on /etc/ssh/ssh_config and try to access.

    Did you trying to access ftp,sftp or ssh protocol ?

    If ftp or sftp, make sure your server having ftp service.

    Also allow the port on your windows PC firewall.

    If you still getting the issue, pls send your server username and its password to [email protected] check further.

  4. Rsync to server with this script wont send a file. I type rsync -avz test.test [email protected] and password and nothing work. File is still on server without script, but i cannot send file to server with script.

  5. Maybe you known how disable script when I log by WinScp ? I try in /etc/profile filter like if [bash -c /usr/lib64/ssh/sftp-server] but this dont work

  6. Log from server when i try copy file by scp
    tail -f /var/log/messages
    May 15 09:45:49 bash[2699]: — root : vi /etc/profile
    May 15 09:45:49 snoopy[2700]: [uid:0 sid:32046 tty:/dev/pts/9 cwd:/home/download/ttyrec-1.0.8 filename:/usr/bin/tail]: tail -f /var/log/messages
    May 15 09:45:54 snoopy[2701]: [uid:0 sid:2701 tty: cwd:/ filename:/usr/sbin/sshd]: /usr/sbin/sshd -o PidFile=/var/run/sshd.init.pid -R
    May 15 09:45:57 sshd[2701]: Accepted keyboard-interactive/pam for root from x.x.x.x port 59385 ssh2
    May 15 09:45:57 sshd[2701]: subsystem request for sftp by user root
    May 15 09:45:57 snoopy[2704]: [uid:0 sid:2704 tty: cwd:/root filename:/bin/bash]: bash -c /usr/lib64/ssh/sftp-server
    May 15 09:45:57 snoopy[2706]: [uid:0 sid:2704 tty: cwd:/root filename:/usr/bin/readlink]: readlink /proc/2704/exe
    May 15 09:45:57 snoopy[2708]: [uid:0 sid:2704 tty: cwd:/root filename:/usr/bin/dircolors]: /usr/bin/dircolors -b /etc/DIR_COLORS
    May 15 09:45:57 snoopy[2710]: [uid:0 sid:2704 tty: cwd:/root filename:/usr/bin/readlink]: readlink /proc/2704/exe
    May 15 09:45:57 snoopy[2712]: [uid:0 sid:2704 tty: cwd:/root filename:/usr/bin/tty]: /usr/bin/tty
    May 15 09:45:57 snoopy[3007]: [uid:0 sid:2704 tty: cwd:/root filename:/usr/bin/sed]: sed -r s@/*:|([^\\]):@\1\n@g;H;x;s@/\n@\n@
    May 15 09:45:57 snoopy[3011]: [uid:0 sid:2704 tty: cwd:/root filename:/usr/bin/sed]: sed -r s@/*:|([^\\]):@\1\n@g;H;x;s@/\n@\n@
    May 15 09:45:57 snoopy[3013]: [uid:0 sid:2704 tty: cwd:/root filename:/bin/logger]: logger -p local1.notice -t bash -i — root :

    May 15 09:45:57 snoopy[3053]: [uid:0 sid:2704 tty: cwd:/root filename:/bin/date]: date +%d_%m_%Y_%H:%M_%N
    May 15 09:45:57 snoopy[3055]: [uid:0 sid:2704 tty: cwd:/root filename:/bin/logger]: logger -p local1.notice -t bash -i — root :
    May 15 09:45:57 bash[3055]: — root :
    May 15 09:45:57 snoopy[3056]: [uid:0 sid:2704 tty: cwd:/root filename:/usr/bin/touch]: touch /var/log/session/session.root.15_05_2014_09:45_595481911

    May 15 09:45:57 bash[3064]: — root :
    May 15 09:45:57 snoopy[3065]: [uid:0 sid:2704 tty: cwd:/root filename:/usr/bin/script]: script -t -f -q /var/log/session/session.root.15_05_2014_09:45_595481911
    May 15 09:45:57 snoopy[3069]: [uid:0 sid:3067 tty:/dev/pts/23 cwd:/root filename:/usr/bin/readlink]: readlink /proc/3067/exe
    May 15 09:45:57 snoopy[3071]: [uid:0 sid:3067 tty:/dev/pts/23 cwd:/root filename:/usr/bin/dircolors]: /usr/bin/dircolors -b /etc/DIR_COLORS
    May 15 09:45:57 snoopy[3074]: [uid:0 sid:3067 tty:/dev/pts/23 cwd:/root filename:/usr/bin/tput]: /usr/bin/tput bold
    May 15 09:45:57 snoopy[3075]: [uid:0 sid:3067 tty:/dev/pts/23 cwd:/root filename:/usr/bin/tput]: /usr/bin/tput setaf 1
    May 15 09:45:57 snoopy[3077]: [uid:0 sid:3067 tty:/dev/pts/23 cwd:/root filename:/usr/bin/tput]: /usr/bin/tput sgr0

  7. How about connection by WinScp? I create in /etc/profile the same script and I cannot copy files to my server. I try scp and WinSCP.

      1. rsync to other server works smothly. I only cannot connect in WinScp. I must uploading files to server from Windows Client so WinScp I need.

Leave a Reply to 2daygeek Cancel reply

Your email address will not be published. Required fields are marked *