hey all,

I have something I've been working on w/ relative success, but could use more skilled eyes on the project to get to where I'd really like to see this go.

I've built an administration server w/ Mac OS X Server and I'm running an SSH server that is to be used by engineers to gain access to client networks. my objective is to log all sessions for future audits.

at the moment I'm using the BASH History feature to record all commands in a session to a unique file per session. I've done this by modifying the HISTFILE in the default BASH profile as follows:


# SYSTEM WIDE BASH PROFILE - AUTHOR DW

# PATH INCLUDES DIRECTORY /SW FOR APPS PORTED BY FINK

PATH="/bin:/sbin:/usr/bin:/usr/sbin:/sw/bin"
export PATH

# ACCOUNTING OF TERMINAL SESSION TO /ACCOUNTING DIRECTORY
# SESSION NAME REFLECTS DATE TIME AND USER OF SESSION

export HISTFILE=/Accounting/$(date +"%b%d_%Y"_%H:%M:%S)_$USER

# ALIAS

alias ls="ls -l"
alias show="more"

# BASH CHECK

if [ "${BASH-no}" != "no" ]; then
[ -r /etc/bashrc ] && . /etc/bashrc

fi

# SESSION PROMPT
# PROMPT REFLECTS USER AT SERVER ACTIVE TIME AND COMMAND SEQUENCE NUMBER

PS1="\u@\h \t [\#]#"
PS2=" > "

# END


this does a solid job of logging commands similar to the logs I get from Cisco's Access Control Server (ACS), however, during my trials I stumbled across the SCRIPT command, which records everything that comes across the screen. I like the idea of having the results along w/ the commands to better track the actions of the engineers.

The problem I have with SCRIPT is two fold, First, it announces itself at the start of a new session and even gives away the location. Ex:

Last login: Thu Oct 4 13:53:09 2007 from [WRK_IP]

********************** WARNING ******************************
This is a restricted system.
Unauthorized access to this system is strictly prohibited.
If you do not have proper authorization, log out immediately.
Use of this computer system, authorized or unauthorized,
constitutes consent to monitoring of your activities on this
system. Unauthorized use may subject you to criminal prosecution.
Evidence of unauthorized use collected during monitoring may be
used for administrative, criminal or other adverse action.
************************************************** ***********

Script started, output file is /Accounting/[SRV_NAME]@14:00:43_Oct04_2007


I've found an man writeup of a version that includes a QUIET tag, -q, but the version native to Mac OS X doesn't have this option.

Second, the script runs at the start of opening a new BASH session, but exits back into the BASH session, instead of closing the connection. I need the session to close entirely once logging has stopped. Also, the SCRIPT session doesn't use the prompt settings in the BASH profile.

I'm open to scrapping both approaches if anyone has a better method.

Thanks.
Dan