From: "Ángel González" <ingenit@zoho.com>
To: nyerup@one.com
Cc: util-linux@vger.kernel.org, Vedpal Rajera <vedpalr@one.com>,
Martin Topholm <mph@one.com>
Subject: Re: Using script(1) to log all user sessions
Date: Sun, 27 Apr 2014 21:53:10 +0200 [thread overview]
Message-ID: <535D6026.1000709@zoho.com> (raw)
In-Reply-To: <20140425082133.GA3790@one.com>
On 25/04/14 10:21, Jesper Dahl Nyerup wrote:
> Hi list,
>
> We're toying with the idea of using script(1) to log all user sessions
> towards a collection of systems, as one in a number of metheds to aid
> debugging, education and auditing.
>
> In order to do so, I have a couple of questions regarding a few
> extensions we're considering to implement.
>
> Firstly, script(1) is clearly and sanely designed to be invoked from the
> command line to record a limited portion of a user's session. In order
> for the user to have the logging started without manual invocation, it
> may come in handy to support config files, to supply configurable
> default values for some of the concepts normally passed in the
> environment or as command line arguments.
You can start it from a script acting as the user shell, through sshd
config or one of the shell init scripts. As you already need to start
script somehow, those defaults could be passed there, too (although I
don't see a problem with supporting config files either).
> Secondly, we're considering to add functionality for script(1) to
> transmit the session transcript over the network to a collection daemon,
> to be able to store transcripts from multiple machines on one or more
> central systems.
>
> This could involve:
>
> 1. Adding a daemon next to script(1) and scriptreplay(1), eg.
> scriptcollect(1), to be in the receiving end of the traffic, optionally
> handling the timing functionality, and finally storing data in the same
> manner script(1) would.
I'm unsure about this bit. It may be needed. Perhaps a transfer after
the session finishes also works.
> 2. Optionally linking against some crypto library to avoid putting
> users' console data on the wire in clear text.
Following unix philosophy, I would try to avoid reinventing crypto into
the program, attempting instead to solve the issue by eg. using sftp to
transfer the files and/or gpg to encrypt the data.
PS: I expect you are properly warning your users about the fascist-level
logging done on your systems.
next prev parent reply other threads:[~2014-04-27 20:09 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-25 8:21 Using script(1) to log all user sessions Jesper Dahl Nyerup
2014-04-25 14:27 ` Dale R. Worley
2014-04-25 17:39 ` Jesper Dahl Nyerup
2014-04-26 21:27 ` Jesper Dahl Nyerup
2014-04-27 19:53 ` Ángel González [this message]
2014-04-29 10:00 ` Jesper Dahl Nyerup
2014-04-29 10:42 ` Karel Zak
2014-04-29 11:10 ` Jesper Dahl Nyerup
2014-04-28 7:13 ` Karel Zak
2014-04-29 11:05 ` Jesper Dahl Nyerup
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=535D6026.1000709@zoho.com \
--to=ingenit@zoho.com \
--cc=mph@one.com \
--cc=nyerup@one.com \
--cc=util-linux@vger.kernel.org \
--cc=vedpalr@one.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox