Skip to content

Logging commands in korn shell

March 2, 2006

Yet another blast from the past, but I was asked for this again today.


How can you log every command typed into a korn shell session? Here is the cheap and dirty but surprisingly useful way that logs them all into syslog.


Type this into your shell and you can capture the command, it’s return code and the current working directory.

function dlog
{
typeset -i stat=$?
typeset x
x=$(fc -ln -0)
logger -p daemon.notice -t “ksh $LOGNAME $$” Status $stat PWD $PWD \’${x# }\’
}
trap dlog DEBUG

(note that there is a tab after the # in “${x# }”)


You might want to use a different logging facility but that one gets it into /var/adm/messages:


Mar  2 14:44:15 estale ksh cg13442 497922: [ID 702911 daemon.notice] Status 0 PWD /home/cg13442 ‘ls’
Mar 2 14:44:18 estale ksh cg13442 497922: [ID 702911 daemon.notice] Status 1 PWD /home/cg13442 ‘false’
Mar 2 14:45:09 estale ksh cg13442 497922: [ID 702911 daemon.notice] Status 0 PWD /home/cg13442 ‘ls -la’

I had run ls, false and “ls -la” which is dutifully logged.


Tags: topic:[solaris] topic:[korn shell]

Advertisements

From → Solaris

3 Comments
  1. T. Kristoffersen permalink

    Cool, works great with bash too.
    This trick is so simple to avoid though, that I might as well rely on .bash_history.
    I’m not a ksh user so I have no idea if ksh has a history-file too.
    Now I’m going to try and make a dtrace script that logs the commands of arbitrary users. >;o)

  2. Yes this is not an audit, but it is useful when debugging or when your users/admins just want to be able to find out what was done. Works in an environment where users are not malicious as an audit.
    History files don’t, at least with ksh, catch the return status or the PWD and eventually get truncated.

  3. Chris Jenkins permalink

    I’ve been trying to find a simple solution to through things like this into syslog (similar to how sudo does it) and this was what I was searching for. However, two (2) problems:

    1) sudo does its own logging for commands like ‘sudo rm filetodelete’, so no need to double log this
    2) when SCPing into an account using Windows software like WinSCP, you get a ton of error messages. SFTP works great, however.

    I’ve attempted to fix issue #1:

    function kshlogger
    {
    typeset -i stat=$?
    typeset x
    x=$(fc -ln -0)
    if [[ $x != ?sudo* ]] ; then
    logger -p security.notice -t “ksh: $LOGNAME $$” Status $stat “; “PWD”=”$PWD “; “”COMMAND=”\’${x# }\’
    fi
    }
    trap kshlogger DEBUG > /dev/null 2>&1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: