Friday, January 7, 2011

Recording User Activity with a Script

Using Variables in Scripts
The purpose of this script is to log the commands and output of a user so you have an accurate record of all activity.  One problem that you find if you depend upon logs with users and sudo is that sudo will not log the stdout nor the stderr.

keystroke.sh
#!/bin/bash
# Capture keystrokes of a user and log

TIMESTAMP=$(date +%m%d%y%H%M%S)
HOST=$(hostname|cut -f1 -d.)
LOGDIR=/var/log/user
LOGFILE=${HOST}.${LOGNAME}.${TIMESTAMP}
touch $LOGDIR/$LOGFILE


# Set Prompt
export PS1=”[$LOGNAME:$HOST]@”‘$PWD> ‘
chown $LOGNAME ${LOGDIR}/${LOGFILE}
chmod 600 ${LOGDIR}/${LOGFILE}

script ${LOGDIR}/${LOGFILE}
chmod 400 ${LOGDIR}/${LOGFILE}



Analysis of the Script


#!/bin/bash
The bash shell is the shell to use with this script.


TIMESTAMP=$(date +%m%d%y%H%M%S)
This line creates a variable (the date followed by month,day,year,hour,minute,second).  Variables are symbolic names for memory in which you can assign values, as well as read the contents or manipulate the contents.

The advantage of a variable is that once it is assigned you can use it over and over.  When you create variables it is important not to place spaces around the “=” sign.

It is important to start and end your variables so the shell can tell where the variable ends, that is why you see examples of variable with ( ).

Note there must be a space after “date”.

Here is the name of the log, note the time stamp on the end.


m67.root.070909025935
HOST=$(hostname|cut -f1 -d.)
HOST is a variable that is created to indicate the machine logs that will be accessed.  It is created by two commands with the output of one piped into the second command.

The command hostname will print out the hostname of the computer the user is on.  That hostname could be a single hostname or it could be a Fully Qualified Domain Name (FQDN).

hostname
m67
or
hostname
m67.example.com


The hostname is piped into a second command with the “|” symbol which takes the output of one command and sends it to the second command.

So when you create the variable HOST the command is run and sent to the second command cut.  cut, as the name implies, is used to cut and display selected information from a text file or text input.

Think of it as something that will take a vertical slice of a text file, and send it to the output of your choice.

There are two ways to specify where you want to begin and end the slice.  You can specify it either by a starting and an ending character, or by fields.

To specify your “slice” by fields, you’ll need to use both the -d and -f switches.  The -d switch will specify the delimiter,  the character that separates the fields, in this case a dot.

That’s so that cut will know where each field begins and ends.   The -f switch will specify which fields you want to look at.

So the command you see with cut will take the first field and separate it from the other information that will be appended by a “.”.
m67.

If you wanted the see the first three fields of the hostname, FQDN, the script would be written like this:


HOST=$(hostname|cut -f1-3 -d.)
m67.example.com.


LOGDIR=/var/log/user
The variable $LOGDIR is created by determining the location of the log file after the “=”.  You can place the log wherever it is convenient.

LOGFILE=${HOST}.${LOGNAME}.${TIMESTAMP}

Here the $LOGFILE variable is created by using three previously created variables, separated by a “.”, note the brackets.


touch $LOGDIR/$LOGFILE
The command touch creates an empty file that can be used by the information that is recorded.  The “/” separates the two variables which have been determined by the text above in the script.

export PS1=”[$LOGNAME:$HOST]@”‘$PWD> ‘

No comments:

Post a Comment