Variables

Variables are symbolic names for memory in which you can assign values, as well as read the contents or manipulate the contents.  When you create variables it is important not to place spaces around the "=" sign.  The variable name can only contain letters, numbers and underscores.  In addition, the variable name cannot start with a number. You cannot assign variables which contain spaces unless you quote them.  There are two kinds of variables.  The scalar variables hold only one value at a time while the array variables hold multiple values.  The array variables are a method of grouping a set of variables together using a single name.

Lesson 2 | Lesson 4

The purpose of this script is to log the commands and output of a user so you have an accurate record of all activity.  One problem that you find if you depend upon logs with users and sudo is that sudo will not log the stdout nor the stderr.

keystroke.sh


#!/bin/bash
# Capture keystrokes of a user and log

TIMESTAMP=$(date +%m%d%y%H%M%S)
HOST=$(hostname|cut -f1 -d.)
LOGDIR=/var/log/user
LOGFILE=${HOST}.${LOGNAME}.${TIMESTAMP}
touch $LOGDIR/$LOGFILE

# Set Prompt
export PS1="[$LOGNAME:$HOST]@"'$PWD> '

chown $LOGNAME ${LOGDIR}/${LOGFILE}
chmod 600 ${LOGDIR}/${LOGFILE}


script ${LOGDIR}/${LOGFILE}
chmod 400 ${LOGDIR}/${LOGFILE}


Analysis of the Script
#!/bin/sh
The bash shell is the shell to use with this script.

TIMESTAMP=$(date +%m%d%y%H%M%S)
This line creates a variable.  Variables are symbolic names for memory in which you can assign values, as well as read the contents or manipulate the contents. The advantage of a variable is that once it is assigned you can use it over and over.  When you create variables it is important not to place spaces around the "=" sign. It is important to start and end your variables so the shell can tell where the variable ends, that is why you see examples of variable with { }.  

Here is the name of the log, note the time stamp on the end.
m67.root.070909025935


HOST=$(hostname|cut -f1 -d.)
HOST is a variable that is created and the variable that will be used in the logs comes from two commands, hostname and cut.  The command hostname will print out the hostname of the computer the user is on.  That hostname could be a single hostname or it could be a Fully Qualified Domain Name (FQDN).  
hostname
m67
or
hostname
m67.example.com
The hostname is piped into a second command with the "|" symbol which takes the output of one command and sends it to the second command.  So when you create the variable HOST the command is run and sent to the second command cut.  cut, as the name implies, is used to cut and display selected information from a text file or text input.  Think of it as something that will take a vertical slice of a text file, and send it to the output of your choice.  There are two ways to specify where you want to begin and end the slice.  You can specify it either by a starting and an ending character, or by fields.  To specify your "slice" by fields, you'll need to use both the -d and -f switches.  The -d switch will specify the delimiter,  the character that separates the fields, in this case a dot.  That's so that cut will know where each field begins and ends.   The -f switch will specify which fields you want to look at.  So the command you see with cut will take the first field and separate it from the other information that will be appended by a ".".

m67.

If you wanted the see the first three fields of the hostname, FQDN, the script would be written like this:
HOST=$(hostname|cut -f1-3 -d.)


m67.example.com.

LOGDIR=/var/log/user

The variable $LOGDIR is created by determining the location of the log file after the "=".  You can place the log wherever it is convenient.


LOGFILE=${HOST}.${LOGNAME}.${TIMESTAMP}
Here the $LOGFILE variable is created by using three previously created variables, separated by a ".", note that two of them are enclosed in brackets.

touch $LOGDIR/$LOGFILE
The command touch creates and emppty file that can be used by the information that is recorded.  The "/" separates the two variables which have been determined by the text above in the script.

export PS1="[$LOGNAME:$HOST]@"'$PWD> '

Execute the script:

sh keystrokes.sh
Script started, file is /var/log/user/m67.root.070909031635
m67:/home/z4/scripts# ls
bk2  db2  db3  keystrokes.sh  mysql2  record  rsync1
m67:/home/z4/scripts# who
z4       tty7         2009-07-09 01:24 (:0)
z4       pts/0        2009-07-09 02:07 (:0.0)
z4       pts/1        2009-07-09 02:13 (:0.0)
m67:/home/z4/scripts# exit
Script done, file is /var/log/user/m67.root.070909031635
m67:/home/z4/scripts# vi /var/log/user/m67.root.070909031635


#####################################################
Script started on Thu 09 Jul 2009 03:16:35 AM MDT
m67:/home/z4/scripts# ls^M
bk2  db2  db3  keystrokes.sh  mysql2  record  rsync1^M
m67:/home/z4/scripts# who^M
z4       tty7         2009-07-09 01:24 (:0)^M

z4       pts/0        2009-07-09 02:07 (:0.0)^M
z4       pts/1        2009-07-09 02:13 (:0.0)^M
m67:/home/z4/scripts# exit^M

Script done on Thu 09 Jul 2009 03:16:45 AM MDT
####################################################


Setting Up A User to Be Checked
Add a group and make the users part of the group that you create.
groupadd check

/etc/group
check:x:1002:jane

Change ownership of the script to the check group
chgrp check /opt/scripts/keystrokes.sh
-rwxr-xr-x 1 root check  387 2009-07-12 16:15 keystrokes.sh

Edit the user's .profile which is located in their home directory and add this line to the end:
sh /opt/scripts/keystroke.sh

Change permissions on the user's .profile script to be root so they cannot change it.
rw-r--r-- 1 root root 705 2009-07-12 16:24 /home/jane/.profile

chgrp -R check /var/log/user




cat /var/log/user/m67.jane.071209162935
Script started on Sun 12 Jul 2009 04:29:35 PM MDT
[jane:m67]@/home/jane> ls
[jane:m67]@/home/jane> sudo su

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

[sudo] password for jane:
jane is not in the sudoers file.  This incident will be reported.
[jane:m67]@/home/jane> exit
exit

Script done on Sun 12 Jul 2009 04:30:25 PM MDT