pam_tty_audit.so
How come no one ever told me about this! A while ago we were tasked to find a way to log all commands executed by root. I know bash_history is easily manipulated so I spent some time on google trying to find a logging shell, then got distracted by something shiny and forgot all about this task. Turns out the linux auditing system has a built-in tty logging accounting module that will log all tty sessions! Just add this to your pam stack (/etc/pam.d/system-auth on redhat and clones):
session required pam_tty_audit.so disable=* enable=root
Then run a few commands as root, and the aureport command will become your friend:
audit]# aureport --tty -ts today
TTY Report =============================================== # date time event auid term sess comm data =============================================== 1. 11/22/2009 00:07:52 132278 1040 ? 4294962295 bash "hello world",<ret>
UPDATE:
You need a newer version of the audit rpm package, tty info will be collected but aureport does not know how to display them.
https://bugzilla.redhat.com/show_bug.cgi?id=497518
I don’t immagine that Screen needs a big introduction. For those that don’t know, screen is a window-manager. One might ask I use XTerm or Konsole or Terminal in gnome, what do I use this for??? Well one of the big features of screen is that you can detach you session from you current console, go to a different computer, and reconnect to the same screen session. You can start a command process at work, drive home, and reconnect to the still running window.
To start a new screen session just type “screen”. You will see a welcome screen, just start typing away as if you are in a regular terminal session. Need a new window? “CTRL-A c” will create one. “CTRL-A p” goes to your previous screen, “CTRL-A n” goes to your next screen. When you get to the last screen it just goest back to the first one.
So now you are ready to detach, “CTRL-d” detaches. When you want to reconnect, I usually do a “screen -dr”, the d will detach the screen session if I had forgotten to before exiting then connect.
One feature I use a lot, especially when working with network gear, is the screenloging. I connect to my router, type “CTRL-A H” to create a logfile, anything on the screen after that will get logged to the screenlog file. Then if I do a “show run” my router config is saved incase I mess things up.
One final usage of screen that I empoy is as a serial interface, I connect my routers via serial to my linux laptop, then fire up screen like this “screen 9600 /dev/ttyS0″ and voila. Buy a bunch of usb serial dongles and build your own Serial Console server this way. Turn on screenlogging and you can capture router error messages ghetto style.
