如何捕获任何用户在Unix/Linux中键入的所有命令? [英] How to capture all the commands typed in Unix/Linux by any user?

问题描述

我想捕获任何用户在Unix/Linux中键入的所有命令.几乎没有其他选择，例如使用脚本命令或acct实用程序.但是它们的问题是它们使从终端到文件的所有内容变得愚蠢，或者只是提供了命令的摘要.我正在寻找一个实用程序，它将为我提供任何用户键入的所有命令以及命令的参数.是否可以?是否有其他选择，例如钩住系统调用来实现这一目标?

I would like to capture all the commands typed in Unix/Linux by any user. There are few alternatives like using script command or acct utility. But the problem with them is they dumb everything from the terminal to a file or just provide the summary of the commands. I am looking for a utility where it will provide me all the commands typed by any user with the arguments for the commands. Is it possible? Are there any alternatives like making a hook into system calls to get this?

推荐答案

似乎有一篇很好的文章关于Shell审核，网址为 http://administratosphere.wordpress.com/2011/05/20/logging-every-shell-command/.

There seems to be quite a good article on shell auditing at http://administratosphere.wordpress.com/2011/05/20/logging-every-shell-command/ .

这考虑了诸如用户历史记录文件的可靠性之类的问题(并提供了有关改善此问题的信息)，但还讨论了内置在shell中的显式审核功能.可能是您正在使用的任何环境都没有启用具有审核功能的shell编译功能，但是如果您具有可用的内部版本的源代码和配置(至少对于任何Linux发行版都可以这样做)，则不应在保留其余配置不变的情况下，使其很难启用审核功能，就像在默认分发版中一样.

This considers things like reliability of user history files (and provides info on improving that), but also discusses explicit auditing features built into shells. It may be that whatever environment you're using doesn't have the shells compiled with auditing features enabled, but if you have the source and configuration for your builds available (as you would do at least for any Linux distribution), it shouldn't be too hard to enable the auditing feature while keeping rest of the configuration as it is in the default distribution.

这种方法仍然可以打开的是通过其他命令执行的命令-或从某些程序中调用的操作系统功能.因此，f.ex.如果您在机器上有perl或任何其他可用的编程语言解释器，虽然您可能可以审核perl的执行情况，但是您无法确定用户告诉了perl解释器要做什么.另一方面，即使进行了外壳审计，我也不确定如果执行f.ex是否可以看到perl执行.从某个编辑器(如 vi)中作为过滤器来处理编辑器中编写的任何内容.

What this approach still would leave open is the commands executed through some other command - or operating system functionality called from within some program. So, f.ex. if you have perl, or any other programming language interpreter available on the machine, while you possibly can audit the execution of perl, you cannot tell what the user had told the perl interpreter to do. On the other hand, even with shell auditing, I'm not certain whether the perl execution would be seen if it was executed f.ex. from within some editor (like vi) as a filter to process whatever had been written within the editor.

因此，尽管Shell审核将为您提供一层审核，但是除非您的环境确实严格地针对Shell以外的其他执行路径进行，否则收益不会那么大.

So, while shell auditing will provide you one layer of auditing, the gain is not that great unless your environment is really tightened against other paths of execution than the shell.

您应该考虑要审核的用户是否实际上需要外壳程序访问权限-如果不是，请为他们提供更有限的功能，并具有审核功能.也许是一个基于文本的小型菜单系统?

You should consider whether the users to be audited actually need shell access - and if not, provide them with something more limited, with auditing capabilities. A small text-based menu system, perhaps?

这篇关于如何捕获任何用户在Unix/Linux中键入的所有命令?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！