Live view of Linux shell commands executed by another user?
as root, you could replace their shell with a simple wrapper script that logged their commands before passing them to the real shell. This would only work prior to them logging in.
Use sniffy if you want to break into the user's session or
screen -x if you have cooperation.
Be aware though, that spying on your users might be subject to regulations or even outright illegal depending on your local legislation.
Changing the shell is very trivial to circumvent, patching the shell itself is better, but you have to patch all shells. Our favourite cracker uses this, as a bonus he doesn't bother himself with disabling bash_history.
ssh host /bin/sh -i
Snoopy is a wrapper around exec functions, and logs any external binary that is executed(not shell builtins)
@David Schmitt's suggestion sniffy uses a better method, it taps the pseudoterminal.
ttysnoop uses the same method, but it is unmaintained. (I probably had issues making it log ssh connections, can't rememeber)
You can try patching ssh to log a session, but that patch is old.
If you're being cooperative, you can use GNU screen between two users - have one establish the screen session, then have the other join using
If you want root to "spy" on other users without their knowledge, the best and most efficient solution might be keylogger software/hardware.
Sysdig is powerful tool of system-level exploration - this is what you want ;)
sysdig -i spy_users
spy_users Display interactive user activity
lists every command that users launch interactively (e.g. from bash) and every directory users visit
Related videos on Youtube
EMP 14 days
Is it possible for the root user in Linux to have a real-time (or close to real-time) view of the shell commands being run by another user logged in via a terminal or SSH? Obviously they're stored in .bash_history, but that's only saved when the user logs off and can be disabled, too.
Edit: ideally something that can easily be switched on and off.
hayalci almost 13 years
ttyrpldseems good. recommended in this question. serverfault.com/questions/40011/…
Commander Keen about 13 yearsWe did this to monitor a hacked account at a previous employer. Created "/bin/bash " (notice the space) that was a wrapper around the script-command. Worked like a charm :)
EMP about 13 yearsVery clever! +1
user9517 about 10 yearsWelcome to Server Fault! We really do prefer that answers have content, not pointers to content. This ensures that the answer will remain available even if the link goes dead. Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.
user9517 about 10 yearsWelcome to Server Fault! Please read our faq in particular May I promote products or websites I am affiliated with here?.
Mike Pennington about 10 yearsWhat exactly is
ssh host /bin/sh -isupposed to do?
skinp about 10 years+1 for snoopy, not perfect but did what we needed it to do.