How to screen record the session

scottalanmiller

@mshajithn said in How to screen record the session:

I have installed ffmpeg package, how do I record the ssh session?

What OS? What is the goal?

scottalanmiller

@IRJ said in How to screen record the session:

I think what is trying to do is record remote access specifically every time SSH is initiated. Is this what you are looking to do? If so I am really interested in learning a solution as well.

That's not a good solution for that. It would produce giant files that would take forever for a human to watch. Totally impractical for security. Video recording of SSH sessions is really only good for training purposes.

For security, you want to record the shell session itself in text. Files are miniscule and can be parsed. And you can't blank them out like you can with SSH. With SSH and video, there are lots of ways to hide what is actually being done.

IRJ

@scottalanmiller said in How to screen record the session:

@IRJ said in How to screen record the session:

I think what is trying to do is record remote access specifically every time SSH is initiated. Is this what you are looking to do? If so I am really interested in learning a solution as well.

That's not a good solution for that. It would produce giant files that would take forever for a human to watch. Totally impractical for security. Video recording of SSH sessions is really only good for training purposes.

For security, you want to record the shell session itself in text. Files are miniscule and can be parsed. And you can't blank them out like you can with SSH. With SSH and video, there are lots of ways to hide what is actually being done.

So you are thinking pulling the history file of each session is the best solution. Maybe you can share that solution on a new post?

IRJ

I might make a cleaner guide for this
https://unix.stackexchange.com/questions/25639/how-to-automatically-record-all-your-terminal-sessions-with-script-utility

scottalanmiller

@IRJ said in How to screen record the session:

@scottalanmiller said in How to screen record the session:

@IRJ said in How to screen record the session:

I think what is trying to do is record remote access specifically every time SSH is initiated. Is this what you are looking to do? If so I am really interested in learning a solution as well.

That's not a good solution for that. It would produce giant files that would take forever for a human to watch. Totally impractical for security. Video recording of SSH sessions is really only good for training purposes.

For security, you want to record the shell session itself in text. Files are miniscule and can be parsed. And you can't blank them out like you can with SSH. With SSH and video, there are lots of ways to hide what is actually being done.

So you are thinking pulling the history file of each session is the best solution. Maybe you can share that solution on a new post?

Not a history, but that idea. When I worked at [redacted] they were crazy anal about this stuff. They did some recording earlier in the process before the history was touched, extremely hard to work around.

IRJ

@IRJ said in How to screen record the session:

I might make a cleaner guide for this
https://unix.stackexchange.com/questions/25639/how-to-automatically-record-all-your-terminal-sessions-with-script-utility

So I tested this and got it working, but I can just delete the file at the end of my session since it is in my home directory. No privilege elevation even needed.

scottalanmiller

@IRJ said in How to screen record the session:

@IRJ said in How to screen record the session:

I might make a cleaner guide for this
https://unix.stackexchange.com/questions/25639/how-to-automatically-record-all-your-terminal-sessions-with-script-utility

So I tested this and got it working, but I can just delete the file at the end of my session since it is in my home directory. No privilege elevation even needed.

Yeah, what we had working was something that automatically recorded it somewhere via a dedicated Jump server that was the only access point to the other machines.

IRJ

@black3dynamite said in How to screen record the session:

Using the script command can make typescript of terminal session.

https://www.tecmint.com/record-and-replay-linux-terminal-session-commands-using-script/

https://noise.getoto.net/2016/06/14/how-to-record-ssh-sessions-established-through-a-bastion-host/

https://unix.stackexchange.com/questions/25639/how-to-automatically-record-all-your-terminal-sessions-with-script-utility#25725

User can easily delete though

black3dynamite

@IRJ said in How to screen record the session:

@black3dynamite said in How to screen record the session:

Using the script command can make typescript of terminal session.

https://www.tecmint.com/record-and-replay-linux-terminal-session-commands-using-script/

https://noise.getoto.net/2016/06/14/how-to-record-ssh-sessions-established-through-a-bastion-host/

https://unix.stackexchange.com/questions/25639/how-to-automatically-record-all-your-terminal-sessions-with-script-utility#25725

User can easily delete though

What about using something like chattr or SELinux to prevent deletion?
https://serverfault.com/questions/448891/how-to-prevent-file-owner-from-changing-deleting-their-own-file-linux-centos

IRJ

@black3dynamite said in How to screen record the session:

@IRJ said in How to screen record the session:

@black3dynamite said in How to screen record the session:

Using the script command can make typescript of terminal session.

https://www.tecmint.com/record-and-replay-linux-terminal-session-commands-using-script/

https://noise.getoto.net/2016/06/14/how-to-record-ssh-sessions-established-through-a-bastion-host/

https://unix.stackexchange.com/questions/25639/how-to-automatically-record-all-your-terminal-sessions-with-script-utility#25725

User can easily delete though

What about using something like chattr or SELinux to prevent deletion?
https://serverfault.com/questions/448891/how-to-prevent-file-owner-from-changing-deleting-their-own-file-linux-centos

Do you think using auditd would be better?

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing

black3dynamite

@IRJ said in How to screen record the session:

@black3dynamite said in How to screen record the session:

@IRJ said in How to screen record the session:

@black3dynamite said in How to screen record the session:

Using the script command can make typescript of terminal session.

https://www.tecmint.com/record-and-replay-linux-terminal-session-commands-using-script/

https://noise.getoto.net/2016/06/14/how-to-record-ssh-sessions-established-through-a-bastion-host/

https://unix.stackexchange.com/questions/25639/how-to-automatically-record-all-your-terminal-sessions-with-script-utility#25725

User can easily delete though

What about using something like chattr or SELinux to prevent deletion?
https://serverfault.com/questions/448891/how-to-prevent-file-owner-from-changing-deleting-their-own-file-linux-centos

Do you think using auditd would be better?

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing

Looks a lot less complicating to use.