How to Automatically Record the Terminal Session Activity of All Users on Linux

Some time ago, we wrote an article to record the Linux terminal session activity using the script command.

Today also, we are going to discuss the same topic.

But this tutorial allows you to automatically record the terminal session activity of all users.

I advise administrators to include this functionality as part of a security checklist on the mission critical server.

This will help you to fix the problem immediately if something goes wrong with the server by any user activity.

You can easily identify what he/she did by checking the specific user’s session activity file.

Also, it can help you get the command output whenever you want, or you can keep it for future reference.

By default everyone prefers the history command to review the previously entered commands in the terminal. Yes, it is good, but unfortunately it doesn’t show the output of previously executed commands.

This can be done using the script command. To do so, add the following script to the /etc/profile file. It will automatically start recording the user’s terminal session whenever the user logs in.

What is script Command

Script is a UNIX command-line application that records a terminal session (in other words, it records everything that is displayed on your terminal).

It stores the output as text file in the current directory and the default filename is typescript.

What is scriptreplay

This program replays a typescript, using timing information to ensure that output happens at the same speed as it originally appeared when the script was recorded.

How to Check if the script Command is Installed or not on Linux

The script is part of the Linux Core application and is already installed on most Linux distributions by default.

The script command is part of the “util-linux-ng” package on RHEL-based systems and the “bsdutils” package on Debian-based systems.

For RHEL based systems, use the rpm command

# rpm -qf /usr/bin/script
util-linux-2.32.1-8.el8.x86_64

# rpm -qf /usr/bin/scriptreplay
util-linux-2.32.1-8.el8.x86_64

For Debian based systems, use the dpkg command

# dpkg -S /usr/bin/script
bsdutils: /usr/bin/script

# dpkg -S /usr/bin/scriptreplay
bsdutils: /usr/bin/scriptreplay

What is /etc/profile file? And What’s their Use on Linux

The /etc/profile file used to set global Linux system environment variables to the user’s shell. This file will be executed automatically whenever user enter the bash shell login. Open the “/etc/profile” file using your favorite text editor and add the code below.

# vi /etc/profile

#Script to Record the User's Terminal Session
if [ "x$session_record" = "x" ]
then
timestamp=`date "+%m%d%Y%H%M"`
output=/var/log/session/session.$USER.$$.$timestamp
session_record=started
export session_record
script -t -f -q 2>${output}.timing $output
exit
fi

Make sure that the output path /var/log/session directory already exists on the system. If not, create it.

# mkdir /var/log/session

Change the /var/log/session directory permission to 777, which allows all users to write their session activity in the session directory. To learn more about Linux file permissions go to the following article.

# chmod 777 /var/log/session

How to Check if this Script Works as Expected?

All the prerequisites are done, we will run some commands in the terminal to check this experiment.

Let’s imagine that you have three users: daygeek, magi, and tanisha. We will run some commands in each session to verify this test.

We run the following commands as daygeek user.

$ uname -a

$ arch

$ hostname -I

$ exit

We run the following commands as magi user.

$ w

$ date

$ whoami

$ cat /etc/centos-release

$ exit

We run the following commands as tanisha user.

$ rpm -q kernel

$ history

$ last reboot

$ exit

We run the following commands as root user.

# whoami

# pwd

# host 2daygeek.com

# host magesh.co.in

# exit

How to List Recorded Sessions on Linux Using the script Command

We have successfully executed some commands from all users session. Use the ls command to view recorded sessions (ls stands for list directory contents).

# ls -lh /var/log/session
total 32K
-rw-rw-r-- 1 daygeek daygeek 2.0K Jul 24 17:16 session.daygeek.26452.072420191715
-rw-rw-r-- 1 daygeek daygeek  784 Jul 24 17:16 session.daygeek.26452.072420191715.timing
-rw-rw-r-- 1 magi    magi     835 Jul 24 17:14 session.magi.26394.072420191713
-rw-rw-r-- 1 magi    magi     591 Jul 24 17:14 session.magi.26394.072420191713.timing
-rw-r--r-- 1 root    root     957 Jul 24 17:18 session.root.26499.072420191717
-rw-r--r-- 1 root    root     864 Jul 24 17:18 session.root.26499.072420191717.timing
-rw-rw-r-- 1 tanisha tanisha  555 Jul 24 17:20 session.tanisha.26545.072420191718
-rw-rw-r-- 1 tanisha tanisha  528 Jul 24 17:20 session.tanisha.26545.072420191718.timing

Yes, all user’s terminal session operations are successfully registered and it was stored under the /var/log/session directory.

How to View Recorded Sessions on Linux Using the script Command

I can say that everything went as expected without any problems, because it created all the users’ files.

Now, it’s time to look at all of the user’s recorded session data, one by one, to make sure the script captures everything we’ve implemented.

Find the daygeek user’s session output.

# more session.daygeek.26452.072420191715
Script started on Mon 24 Jul 2019 05:15:13 PM EDT

[daygeek@vps1 ~]$ uname -a
Linux vps1.daygeek.com 2.6.32-754.el6.x86_64 #1 SMP Tue Jun 19 21:26:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

[daygeek@vps1 ~]$ arch
x86_64

[daygeek@vps1 ~]$ hostname -I
66.70.189.137

[daygeek@vps1 ~]$ exit
exit

Find the magi user’s session output.

# more session.magi.26394.072420191713
Script started on Mon 24 Jul 2019 05:13:10 PM EDT

[magi@vps1 ~]$ w
 17:13:13 up 3 days,  7:17,  4 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    103.5.134.167    17:00    4:13   0.29s  0.24s top -c
root     pts/1    103.5.134.167    17:09   27.00s  0.01s  0.01s -bash
magi     pts/2    103.5.134.167    17:13    0.00s  0.00s  0.00s -bash
magi     pts/3    -                17:13    0.00s  0.00s  0.00s w

[magi@vps1 ~]$ date
Mon Jul 24 17:13:24 EDT 2019

[magi@vps1 ~]$ whoami
magi

[magi@vps1 ~]$ cat /etc/centos-release
CentOS release 6.10 (Final)

[magi@vps1 ~]$ exit
exit

Find the tanisha user’s session output.

# more session.tanisha.26545.072420191718
Script started on Mon 24 Jul 2019 05:18:49 PM EDT

[tanisha@vps1 ~]$ rpm -q kernel
kernel-2.6.32-754.el6.x86_64

[tanisha@vps1 ~]$ history
    1  rpm -q kernel
    2  history

[tanisha@vps1 ~]$ last reboot
reboot   system boot  2.6.32-696.6.3.e Fri Jul 21 09:55 - 17:20 (3+07:24)

wtmp begins Fri Jul 21 09:54:02 2019

[tanisha@vps1 ~]$ exit
exit

Find the root user’s session output.

# more session.root.26499.072420191717
Script started on Mon 24 Jul 2019 05:17:41 PM EDT
[root@vps1 ~]# whoami
root

[root@vps1 ~]# pwd
/root

[root@vps1 ~]# host 2daygeek.com
2daygeek.com has address 104.27.157.177
2daygeek.com has address 104.27.156.177
2daygeek.com has IPv6 address 2400:cb00:2048:1::681b:9db1
2daygeek.com has IPv6 address 2400:cb00:2048:1::681b:9cb1
2daygeek.com mail is handled by 0 dc-7dba4d3ea8cd.2daygeek.com.

[root@vps1 ~]# host magesh.co.in
magesh.co.in has address 103.212.204.46
magesh.co.in mail is handled by 10 e46f668a62df45920a71fc97ebe479.pamx1.hotmail.com.

[root@vps1 ~]# exit
exit

All of the above output clearly show that everything is recorded without any problems.

How to Replay the Session Recorded Through scriptreplay Command

You can replay the recorded session with help of the scriptreplay command since the script has captured the timing file as well. To do so, run the file as mentioned below.

# scriptreplay --timing=session.daygeek.26452.072420191715.timing session.daygeek.26452.072420191715