How to capture terminal sessions (remote/local) in Linux


Hello everyone 🙂

If you want to put an eagle eye on your system, specially on industrial production systems running on any distributions of Linux, you have modify the shell for those users who are going to access the system. Suppose the name of our shell is cocoon, just a name and we are going to create a user anonymous who’s activity we need to capture. Root privilege is required for that.

First create the required shell

touch /bin/cocoon

Make it accessible

chmod 755 /bin/cocoon

Edit the file /bin/cocoon and write the following lines & save to complete the script.

#!/bin/sh
USER=$(whoami)
LOG_FOLDER=/var/log/ssh/${USER}
DATE=$(date +’%Y-%m-%d_%H:%M:%S’)
HOST=`hostname`
LOG_FILE=${LOG_FOLDER}/${HOST}_${DATE}.log
[ ! -d ${LOG_FOLDER} ] && mkdir -p ${LOG_FOLDER}
bash -i 2>&1 | tee ${LOG_FILE}

Now the shell is ready, we are going to create the user and assign this shell to it.

Create user anonymous and set cocoon as its shell 

useradd anonymous -s /bin/cocoon -m

Set a password for user anonymous

passwd anonymous

Finally change the permission of the log directory which we have mentioned in the shell

chmod 755 /var/log/ssh

That’s all. Now you can find the log of the sessions of user anonymous in /var/log/ssh/anonymous. 

Advertisements