ssh登录Linux时记录用户的所有操作(包括录屏)

目录

前奏

rambo@ubuntu24-2:~$ cat /etc/apt/sources.list.d/ubuntu.sources
Types: deb
URIs: http://cn.archive.ubuntu.com/ubuntu/
Suites: noble noble-updates noble-backports
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

Types: deb
URIs: http://security.ubuntu.com/ubuntu/
Suites: noble-security
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg



rambo@ubuntu24-2:~$ sudo apt update -y
Ubuntu:
sudo apt install -y ttyrec

RHEL/CentOS:
sudo yum install -y ttyrec


# 创建新用户
rambo@ubuntu24-2:~$ sudo adduser zhangsan

修改用户登录Shell (设置为自动启动ttyrec)
rambo@ubuntu24-2:~$ sudo vim /home/zhangsan/.bashrc           # 追加如下内容
# 只记录 ssh 登录的交互式会话
if [[ $- == *i* ]] && [ -n "$SSH_CONNECTION" ] && [ -z "$TTYREC_ACTIVE" ]; then
  export TTYREC_ACTIVE=1
  LOG_DIR="$HOME/.ttyrec_logs"
  mkdir -p "$LOG_DIR"
  LOG_FILE="$LOG_DIR/$(date +%F_%T).ttyrec"
  exec ttyrec "$LOG_FILE"
fi



安装并启用 auditd(命令级审计)
rambo@ubuntu24-2:~$ sudo apt install -y auditd audispd-plugins
rambo@ubuntu24-2:~$ sudo systemctl enable --now auditd

rambo@ubuntu24-2:~$ sudo vim /etc/audit/audit.rules
# 记录所有执行的命令
-a always,exit -F arch=b64 -S execve -k user-commands
-a always,exit -F arch=b32 -S execve -k user-commands

====================================================================
在RHEL是/etc/audit/rules.d/audit.rules
-a always,exit -F arch=b64 -S execve -k user-commands
-a always,exit -F arch=b32 -S execve -k user-commands
====================================================================

rambo@ubuntu24-2:~$ sudo systemctl restart auditd




# 测试登陆,登陆没问题
rambo@e8bit:~$ ssh zhangsan@172.16.186.144
zhangsan@172.16.186.144's password: 
Welcome to Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-52-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

Expanded Security Maintenance for Applications is not enabled.

285 updates can be applied immediately.
44 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

*** System restart required ***
Last login: Tue May  6 14:08:34 2025 from 172.16.186.1




# 用ttyplay播放录制的文件
rambo@ubuntu24-2:~$ sudo ttyplay /home/zhangsan/.ttyrec_logs/2025-05-06_14:09:48.ttyrec; echo     # 在播放结束后插入一行换行
或者
rambo@ubuntu24-2:~$ sudo ttyplay /home/zhangsan/.ttyrec_logs/2025-05-06_14:09:48.ttyrec; reset    # 重置终端状态,避免错乱
posted @ 2025-05-06 14:48  Linux大魔王  阅读(82)  评论(0)    收藏  举报