Piping the "script" command through the logger command.

woodson2 · 09-12-2013, 12:07 PM

I use the snippet below in /etc/profile on RHEL Linux to capture command line logging and it all works well and good.

Now I'd like to pipe the same output from script through the logger command so it all gets logged to syslog.

The only additional code I've added is in bold below (| bin/logger).

This works as expected sans one issue, albeit a major one. My terminal session is blank as if nothing is being typed, however if I type commands I can see them being logged and if I type exit my session closes. I tried a nohup and & to see if that would help but it does not. I'm wondering why I can no longer see anything on my tty.

This is what my putty session looks like. So I have a fully functional session but I can't see any output.
[user@test1 ~]$ ssh cxxx
user@test1's password:
Last login: Thu Sep 12 09:56:01 2013 from 10.x.x.x

Code:

if [ -z $PS1 ]
  then
    echo "" > /dev/null
  else
    DATE="/bin/date"  SCRIPT="/usr/bin/script"
    LOGBASE="/log/cmdline_logs"
       if [ -d "${LOGBASE}" ]; then
           TIMESTAMP="$( ${DATE} +%Y%m%d%H%M%S )"
           LOGFILE="${LOGBASE}/${HOSTNAME}_${USER}_${TIMESTAMP}"
           umask 077
           [[ "${SHELL}" = "/bin/bash" && -e "${HOME}/.bash_profile" ]] && . ${HOME}/.bash_profile
           ${SCRIPT} -f -q ${LOGFILE}.log | /bin/logger
           [[ "${SHELL}" = "/bin/bash" && -e "${HOME}/.bash_logout" ]] && . ${HOME}/.bash_logout
           exit
       fi
  
fi

jailbait · 09-12-2013, 12:48 PM

Try using the tee command:

if [ -z $PS1 ]
then
echo "" > /dev/null
else
DATE="/bin/date" SCRIPT="/usr/bin/script"
LOGBASE="/log/cmdline_logs"
if [ -d "${LOGBASE}" ]; then
TIMESTAMP="$( ${DATE} +%Y%m%d%H%M%S )"
LOGFILE="${LOGBASE}/${HOSTNAME}_${USER}_${TIMESTAMP}"
umask 077
[[ "${SHELL}" = "/bin/bash" && -e "${HOME}/.bash_profile" ]] && . ${HOME}/.bash_profile
${SCRIPT} -f -q ${LOGFILE}.log | tee /bin/logger
[[ "${SHELL}" = "/bin/bash" && -e "${HOME}/.bash_logout" ]] && . ${HOME}/.bash_logout
exit
fi

fi

-------------------------
Steve Stites

unSpawn · 09-12-2013, 01:28 PM

Quote:

Originally Posted by woodson2

I use the snippet below in /etc/profile on RHEL Linux to capture command line logging and it all works well and good.

Please define "good"? As 'script' here gets executed by the user, only works with BASH and doesn't use variables that can't be re-defined by the user afterwards it does not constitute a tamper proof audit trail IMHO.

Quote:

Originally Posted by woodson2

Now I'd like to pipe the same output from script through the logger command so it all gets logged to syslog.

The way you try to implement it should not work because 'script' logs to a file while 'logger' requires stdout. Note modern syslog implementations like Rsyslogd and Syslog-NG can read from files. Also note that if you allow user input to be logged to syslog you should not ever parse it afterwards (because the script utility also logs line feeds, backspaces and control characters) and you must watch the partition (or disk) closely for free disk space. (What happens if I 'cat /var/log/messages' repeatedly inside my script session? ;-p)

Firerat · 09-12-2013, 01:37 PM

you will have to forgive me on my naivety here...

I think ( not certain ) script works in the same way as a shell, but sending stdin to both stdout and a file and not just stdout
when you pipe to logger, logger takes stdout and sends to file ( syslog )

I believe it may in the long run be easier to modify script's source to send direct to syslog as well as it's normal behaviour.
I have not yet looked at the source, but I imagine it would be relatively straight forward

however, had a little play and came up with this

Code:

touch typescript # probably don't need
( tail -f typescript | logger ) &
script -f

the -f for script flushes to script's logfile (typyscript here) each write
tail 'follows' typescript, piping to logger

the downside is some of the output are 'odd'
'shell'

Code:

$ script -f
tail: typescript: file truncated
Script started, file is typescript
firerat@Ab9Pro:/home/firerat/LinuxQ/LogScript$ echo "testing one two three"
testing one two three
firerat@Ab9Pro:/home/firerat/LinuxQ/LogScript$ sleep 2
firerat@Ab9Pro:/home/firerat/LinuxQ/LogScript$ for i in {1..4};do sleep $i;echo slept 1 second;done
slept 1 second
slept 1 second
slept 1 second
slept 1 second
firerat@Ab9Pro:/home/firerat/LinuxQ/LogScript$ exit

syslog

Code:

Sep 12 19:19:22 Ab9Pro firerat: Script started on Thu 12 Sep 2013 19:19:22 BST
Sep 12 19:19:29 Ab9Pro firerat: #033]0;firerat@Ab9Pro: /home/firerat/LinuxQ/LogScript#007firerat@Ab9Pro:/home/firerat/LinuxQ/LogScript$ echo "testing one two three"#015
Sep 12 19:19:29 Ab9Pro firerat: testing one two three#015
Sep 12 19:19:56 Ab9Pro firerat: #033]0;firerat@Ab9Pro: /home/firerat/LinuxQ/LogScript#007firerat@Ab9Pro:/home/firerat/LinuxQ/LogScript$ sleep 2#015
Sep 12 19:20:52 Ab9Pro firerat: #033]0;firerat@Ab9Pro: /home/firerat/LinuxQ/LogScript#007firerat@Ab9Pro:/home/firerat/LinuxQ/LogScript$ for i in sle#010#033[K#010#033[K#010#033[K{1,2,3#010#033[K#010#033[K#010#033[K#010#033[K#010#033[K#010#033[K#010#033[K#010#033[Kn {1..4};do sleep $i;echo slpet#010#033[K#010#033[K#010#033[Kept 1#010#033[K1 second;done#015
Sep 12 19:20:53 Ab9Pro firerat: slept 1 second#015
Sep 12 19:20:55 Ab9Pro firerat: slept 1 second#015
Sep 12 19:20:58 Ab9Pro firerat: slept 1 second#015
Sep 12 19:21:02 Ab9Pro firerat: slept 1 second#015
Sep 12 19:21:08 Ab9Pro firerat: #033]0;firerat@Ab9Pro: /home/firerat/LinuxQ/LogScript#007firerat@Ab9Pro:/home/firerat/LinuxQ/LogScript$ exit#015
Sep 12 19:21:08 Ab9Pro firerat: exit#015
Sep 12 19:21:08 Ab9Pro firerat:
Sep 12 19:21:08 Ab9Pro firerat: Script done on Thu 12 Sep 2013 19:21:08 BST

you can see me 'fixing' my rethinks and typos

I guess you could have sed between tail and logger, to make them readable

'raw' typescript file

Code:

Script started on Thu 12 Sep 2013 19:19:22 BST
^[]0;firerat@Ab9Pro: /home/firerat/LinuxQ/LogScript^Gfirerat@Ab9Pro:/home/firerat/LinuxQ/LogScript$ echo "testing one two three"^M
testing one two three^M
^[]0;firerat@Ab9Pro: /home/firerat/LinuxQ/LogScript^Gfirerat@Ab9Pro:/home/firerat/LinuxQ/LogScript$ sleep 2^M
^[]0;firerat@Ab9Pro: /home/firerat/LinuxQ/LogScript^Gfirerat@Ab9Pro:/home/firerat/LinuxQ/LogScript$ for i in sle^H^[[K^H^[[K^H^[[K{1,2,3^H^[[K^H^[[K^H^[[K^H^[[K^H^[[K^H^[[K^H^[[K^H^[[Kn {1..4};do sleep $i;echo slpet^H^[[K^H^[[K^H^[[Kept 1^H^[[K1 second;done^M
slept 1 second^M
slept 1 second^M
slept 1 second^M
slept 1 second^M
^[]0;firerat@Ab9Pro: /home/firerat/LinuxQ/LogScript^Gfirerat@Ab9Pro:/home/firerat/LinuxQ/LogScript$ exit^M
exit^M

Script done on Thu 12 Sep 2013 19:21:08 BST

another downside is you need to clean up ( tail -f typescript | logger ),
you could get the PID of it with $!, and then kill it once script exits

ultimately, I think modifying script's source code, adding a log to syslog flag is the cleanest

edit:
prompted by unSpawn's post, I did

Code:

cat typescript
cat typescript

inside the script shell
it then 'took over' with a nasty loop, filling syslog

woodson2 · 09-13-2013, 08:09 AM

Quote:

Originally Posted by unSpawn

Please define "good"? As 'script' here gets executed by the user, only works with BASH and doesn't use variables that can't be re-defined by the user afterwards it does not constitute a tamper proof audit trail IMHO.

The way you try to implement it should not work because 'script' logs to a file while 'logger' requires stdout. Note modern syslog implementations like Rsyslogd and Syslog-NG can read from files. Also note that if you allow user input to be logged to syslog you should not ever parse it afterwards (because the script utility also logs line feeds, backspaces and control characters) and you must watch the partition (or disk) closely for free disk space. (What happens if I 'cat /var/log/messages' repeatedly inside my script session? ;-p)

The files are initiated by the user and placed in a directory with the necessary permissions to prevent tampering. The script works with bash,ksh and sh.

[root@test1 ~]# ls -ld /log
drwxr-x--x 6 root root 4096 Sep 12 13:38 /log

[root@test1 ~]# ls -ld /log/cmdline_logs/
drwxr-x-wx 2 root root 4096 Sep 12 14:12 /log/cmdline_logs/

We have measures in place for disk usage thresholds along with proper rotation/pruning. We would also be notified if space were to start filling up. I appreciate your efforts to bring to light some shortcomings or considerations, however I was able to get this working with the code below.

Code:

if [ -z $PS1 ]
  then
        :  #do nothing stub
  else
    DATE="/bin/date"  SCRIPT="/usr/bin/script"
    LOGBASE="/log/cmdline_logs"
       if [ -d "${LOGBASE}" ]; then
           TIMESTAMP="$( ${DATE} +%Y%m%d%H%M%S )"
           LOGFILE="${LOGBASE}/${HOSTNAME}_${USER}_${TIMESTAMP}"
           umask 077
           [[ "${SHELL}" = "/bin/bash" && -e "${HOME}/.bash_profile" ]] && . ${HOME}/.bash_profile

              : > $LOGFILE.log
                ( tail -f $LOGFILE.log | /bin/logger -t TRACKING ) &

                trap "kill $!" EXIT # Kill the logger subshell on exit

                ${SCRIPT} -a -f -q ${LOGFILE}.log

           [[ "${SHELL}" = "/bin/bash" && -e "${HOME}/.bash_logout" ]] && . ${HOME}/.bash_logout
           exit
       fi
fi

unSpawn · 09-14-2013, 02:25 AM

Quote:

Originally Posted by woodson2

I appreciate your efforts to bring to light some shortcomings or considerations, however

Besides responding to only part of what I wrote about it's the "however" part that's especially worrying. Could it be you have no idea what constitutes a proper audit trail? Or that you just don't care? Have you spent any time at all figuring out the ways a user could subvert your "solution"?

Code:

~]$ cat ${HOME}/.bash_profile
declare -r LOGBASE="/dev/null"
declare -r SCRIPT="/bin/bash --noprofile --login --"
export LOGBASE SCRIPT

or

Code:

~]$ cat ${HOME}/.bash_profile
[ "${SHELL:5:5} == "bash" ] || /bin/bash --noprofile --login --"

or just

Code:

~]$ chsh -s tcsh

Again: an audit trail should not be initiated by and not be controlled by the user in any aspect.

woodson2 · 09-15-2013, 04:36 PM

Thanks, your insults along with your unsolicited advice have been especially "helpful".

unSpawn · 09-15-2013, 06:01 PM

When a man points
at the Moon the fool
looks at his Finger.

woodson2 · 09-15-2013, 07:48 PM

Quote:

Originally Posted by unSpawn

When a man points
at the Moon the fool
looks at his Finger.

Let me google a witty quote..