There seems to be quite a good article on shell auditing at http://administratosphere.wordpress.com/2011/05/20/logging-every-shell-command/.

在http://administratosphere.wordpress.com/2011/05/20/logging-every-shell-command/上似乎有一篇关于 shell 审计的好文章 。

This considers things like reliability of user history files (and provides info on improving that), but also discusses explicit auditing features built into shells. It may be that whatever environment you're using doesn't have the shells compiled with auditing features enabled, but if you have the source and configuration for your builds available (as you would do at least for any Linux distribution), it shouldn't be too hard to enable the auditing feature while keeping rest of the configuration as it is in the default distribution.

这会考虑诸如用户历史文件的可靠性之类的事情（并提供有关改进的信息），但也讨论了内置于 shell 中的显式审计功能。可能是您使用的任何环境都没有启用审计功能编译的 shell，但是如果您有可用的构建的源代码和配置（就像您至少对任何 Linux 发行版所做的那样），它应该'在保留其余配置的同时启用审计功能太难了，因为它在默认发行版中。

What this approach still would leave open is the commands executed through some other command - or operating system functionality called from within some program. So, f.ex. if you have perl, or any other programming language interpreter available on the machine, while you possibly can audit the execution of perl, you cannot tell what the user had told the perl interpreter to do. On the other hand, even with shell auditing, I'm not certain whether the perl execution would be seen if it was executed f.ex. from within some editor (like vi) as a filter to process whatever had been written within the editor.

这种方法仍然保持开放的是通过一些其他命令执行的命令 - 或从某个程序中调用的操作系统功能。所以，例如 如果您有 perl 或机器上可用的任何其他编程语言解释器，虽然您可能可以审计 perl 的执行，但您无法知道用户告诉 perl 解释器做什么。另一方面，即使使用 shell 审计，我也不确定如果执行 f.ex 是否会看到 perl 执行。从某些编辑器（如 vi）中作为过滤器来处理编辑器中编写的任何内容。

So, while shell auditing will provide you one layer of auditing, the gain is not that great unless your environment is really tightened against other paths of execution than the shell.

因此，虽然 shell 审计将为您提供一层审计，但收益并不是那么大，除非您的环境对除 shell 之外的其他执行路径真正收紧。

You should consider whether the users to be audited actually need shell access - and if not, provide them with something more limited, with auditing capabilities. A small text-based menu system, perhaps?

您应该考虑要审核的用户是否确实需要 shell 访问权限 - 如果不需要，请为他们提供更有限的内容，以及审核功能。也许是一个基于文本的小型菜单系统？

Grab /home/victim/.bash_historyor /home/victim/.config/fish/fish_history

抓住/home/victim/.bash_history或/home/victim/.config/fish/fish_history

These will let you see all bash and fish shell commands with args that ws entered by the user.

这些将让您看到所有带有用户输入的 args 的 bash 和 fish shell 命令。

The easiest way to solve this, is if you are root and in the position to change the system files by redirect the console itself that way:

解决此问题的最简单方法是，如果您是 root 用户并且可以通过以这种方式重定向控制台本身来更改系统文件：

If you use e.g. /bin/shas default console, move it to /bin/hsand create a file like this under /bin/sh:

如果您使用 eg/bin/sh作为默认控制台，请将其移动到/bin/hs并在以下位置创建这样的文件/bin/sh：

#!/bin/hs

ORIGSHELL=/bin/hs
LOGFILE=/var/log/whatyoulike

OPTIONS="$@"

USER=`whoami`
WEBUSER=web
WILD=NO
WARN=NO



if [ "$USER" = "$WEBUSER" ]
then

  #Ok then - are we doing something wild?
  for ARG in $@
  do
    case "$ARG" in
    *\/lynx)
      WILD=YES
      ;;
    *\/wget)
      WILD=YES
      WARN=YES
      ;;
    *\/curl)
      WILD=YES
      WARN=YES
      ;;
    *\/links)
      WILD=YES
      WARN=YES
      ;;
    *\/fetch)
      WILD=YES
      WARN=YES
      ;;
    esac
  done

  #Are we wild?
  if [ "$WILD" = "YES" ]
  then
    HOST=`hostname`
    IPADDR=`resolveip -s $HOST`
    NETSTAT=`/usr/bin/nighthawk -ape --numeric-hosts --numeric-ports --tcp | grep 'ESTABLISHED web'`

    # Log it.
    echo "`date` [$USER] $IPADDR "$@"" >> $LOGFILE
    echo "$NETSTAT" >> $LOGFILE
  fi
  #Are we REALLY wild?
  if [ "$WARN" = "YES" ]
  then
    # Mail it!
    mail -s 'HACKATTACK' [email protected] < $LOGFILE &
  fi
fi

# Now, do it.
exec $OPERATION "$@"

#we never come here...
exit 0

This is just an example, how it can be used to track everything transparent. You can do what you want to check the input. The script above is used to find even the originator of the current shell, so you can react on it. Of course the above case checks are not the ones we really use ;) - but a good sample.

这只是一个示例，说明如何使用它来跟踪透明的所有内容。你可以做你想做的检查输入。上面的脚本甚至用于查找当前 shell 的创建者，因此您可以对其做出反应。当然，上面的案例检查不是我们真正使用的那些；) - 但是一个很好的样本。

Hope it helps, Jimmy

希望它有帮助，吉米

Grab the bash source. Add a logger around the exec invocation. Compile it. Run this as your first command after logging in.

获取 bash 源。在 exec 调用周围添加一个记录器。编译它。登录后将此作为您的第一个命令运行。

Everything else really wants root powers.

其他一切都真正想要根权力。

I know this is old, but I think the script command might be what he was looking for?

我知道这很旧，但我认为脚本命令可能是他要找的？

> script my_output_file
Script started, file is my_output_file

http://www-users.cs.umn.edu/~gini/1901-07s/files/script.html

http://www-users.cs.umn.edu/~gini/1901-07s/files/script.html

There is enabling audit, tty recording, hacks and free tools to do what you want, however, depending on the scale of the environment you are trying to control, you may be better off by using both Audit and products focused on dealing with the challenge you want to tackle. Some quite popular ones, used on a few financial services clients are [Observe-IT, Centrifyand PowerBroker

有启用审计、tty 记录、黑客和免费工具来做你想做的事，但是，根据你试图控制的环境的规模，你可能会更好地使用审计和专注于应对挑战的产品你想解决。一些非常流行的，用于一些金融服务客户的是 [ Observe-IT, Centrify和PowerBroker

Hope this helps

希望这可以帮助

You can use Snoopy Logger

您可以使用史努比记录器

What it is:A simple library that inserts itself between process and execv/e() syscalls by means of LD preloading. It logs all executed commands to syslog.

它是什么：一个简单的库，它通过 LD 预加载将自身插入到进程和 execv/e() 系统调用之间。它将所有执行的命令记录到系统日志中。

What it is not:Security/auditing solution - it can be easily circumvented. It does not log built-in shell commands (as they are internal and when called, shell does not create new process - echo vs /bin/echo for example).

它不是什么：安全/审计解决方案 - 它很容易被规避。它不记录内置 shell 命令（因为它们是内部命令，并且在调用时，shell 不会创建新进程 - 例如 echo 与 /bin/echo）。

Disclosure: current snoopy maintainer here.

披露：当前的史努比维护者在这里。

For sporadic recording I usually run

对于零星的录音，我通常运行

ssh localhost | tee -a recorded-session.log

SSH 本地主机 | tee -a 记录会话.log

This works quite well.

这很有效。