Logging commands in korn shell

Yet another blast from the past, but I was asked for this again today.


How can you log every command typed into a korn shell session? Here is the cheap and dirty but surprisingly useful way that logs them all into syslog.


Type this into your shell and you can capture the command, it's return code and the current working directory.

function dlog
{
        typeset -i stat=$?
        typeset x
        x=$(fc -ln -0)
        logger -p daemon.notice -t "ksh $LOGNAME $$" Status $stat PWD $PWD \\'${x#       }\\'
}
trap dlog DEBUG

(note that there is a tab after the # in “${x# }”)


You might want to use a different logging facility but that one gets it into /var/adm/messages:


Mar  2 14:44:15 estale ksh cg13442 497922: [ID 702911 daemon.notice] Status 0 PWD /home/cg13442 'ls'
Mar  2 14:44:18 estale ksh cg13442 497922: [ID 702911 daemon.notice] Status 1 PWD /home/cg13442 'false'
Mar  2 14:45:09 estale ksh cg13442 497922: [ID 702911 daemon.notice] Status 0 PWD /home/cg13442 'ls -la'

I had run ls, false and “ls -la” which is dutifully logged.


Tags:

Comments:

Cool, works great with bash too. This trick is so simple to avoid though, that I might as well rely on .bash_history. I'm not a ksh user so I have no idea if ksh has a history-file too. Now I'm going to try and make a dtrace script that logs the commands of arbitrary users. >;o)

Posted by T. Kristoffersen on March 02, 2006 at 08:06 AM GMT #

Yes this is not an audit, but it is useful when debugging or when your users/admins just want to be able to find out what was done. Works in an environment where users are not malicious as an audit.

History files don't, at least with ksh, catch the return status or the PWD and eventually get truncated.

Posted by Chris Gerhard on March 02, 2006 at 08:10 AM GMT #

Post a Comment:
Comments are closed for this entry.
About

This is the old blog of Chris Gerhard. It has mostly moved to http://chrisgerhard.wordpress.com

Search

Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today