Suramya's Blog : Welcome to my crazy life…

October 3, 2007

Automatic session logging/monitoring with GNU screen

Filed under: Computer Security,Computer Tips,Security Tutorials — Suramya @ 11:10 PM

Found this good article on how to setup screen on Linux/Unix so that it automatically logs all activity made in the session. Screen is a utility that I use very often on my Linux box. Basically its a program that you start and it attaches to a specific console and if you ever get disconnected you don’t loose your work/position, all you have to do is log back in and reconnect to that screen. You can also connect to a system via ssh/telnet and start a program then disconnect from ssh then move to another location and reconnect to server and join the same session from there. I use it all the time when compiling stuff or downloading large files.

The main issue I had with screen was that it would only keep 20-30 lines in the history so if you wanted to scroll up to read the previous logs you couldn’t. Now this article explains how to set up logging so that you can do that. For the impatient here’s how you do it:

I wanted to automattically launch a screen session when somone logged in so if I happened to be on the server I could monitor them in real time. I also wanted a log of the session in case I wanted to look over it later or if I was not able to monitor the session live.

I ended up adding the following to my .bashrc

# — if $STARTED_SCREEN is set, don’t try it again, to avoid looping
# if screen fails for some reason.
if [[ “$PS1″ && “${STARTED_SCREEN:-No}” = No && “${SSH_TTY:-No}” != No ]]; then
STARTED_SCREEN=1 ; export STARTED_SCREEN
if [ -d $HOME/log/screen-logs ]; then
sleep 1
screen -RR && exit 0
# normally, execution of this rc script ends here…
echo “Screen failed! continuing with normal bash startup”
else
mkdir -p $HOME/log/screen-logs
fi
# [end of auto-screen snippet]

and add the following to your .screenrc

# support color X terminals
termcap xterm ‘XT:AF=E[3%dm:AB=E[4%dm:AX’
terminfo xterm ‘XT:AF=E[3%p1%dm:AB=E[4%p1%dm:AX’
termcapinfo xterm ‘XT:AF=E[3%p1%dm:AB=E[4%p1%dm:AX:hs:ts=E]2;:fs=07:ds=E]2;screen07′
termcap xtermc ‘XT:AF=E[3%dm:AB=E[4%dm:AX’
terminfo xtermc ‘XT:AF=E[3%p1%dm:AB=E[4%p1%dm:AX’
termcapinfo xtermc ‘XT:AF=E[3%p1%dm:AB=E[4%p1%dm:AX:hs:ts=E]2;:fs=07:ds=E]2;screen07′

# detach on hangup
autodetach on
# no startup msg
startup_message off
# always use a login shell
shell -$SHELL

# auto-log
logfile $HOME/log/screen-logs/%Y%m%d-%n.log
deflog on

Keep in mind that this is not a very secure setup. Anyone with any technical knowledge can edit the logs as they are located in the user’s home directory and are editable by them. So don’t rely on it extensively to keep a system secure.

Complete article is available here: Automatic session logging and monitoring with GNU screen for the paranoid.

Thanks,
Suramya

1 Comment »

  1. […] unknown wrote an interesting post today!.Here’s a quick excerptFound this good article on how to setup screen on Linux/Unix so that it automatically logs all activity made in the session. Screen is a utility that I use very often on my Linux box. Basically its a program that you start and it … […]

    Pingback by GadgetGadget.info - Gadgets on the web » Automatic session logging/monitoring with GNU screen — October 4, 2007 @ 5:42 AM

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WordPress