Unclassified

Comprehensive Overview of SSH Session Recording Methods on Linux

1. Built-in Linux Tools

script Command

  • What it captures: All terminal text output and commands entered
  • Storage format: Plain text file with terminal control characters
  • Playback: Can be viewed with cat or any text editor, but includes control characters
  • Storage requirements: Large files due to verbose output (includes all control characters)
  • Security: Files stored locally, permissions depend on user's umask
  • Setup: Built into most Linux distributions, no installation needed
  • Usage: script filename.txt to start, exit to stop
  • Pros: Simple, no installation, human-readable output
  • Cons: Verbose output, no timing information, large file sizes

auditd (Linux Audit Daemon)

  • What it captures: System-level events, command execution, file access
  • Storage format: Binary format in /var/log/audit/audit.log
  • Playback: Requires specialized tools (ausearch, aureport) to parse logs
  • Storage requirements: Moderate, depends on audit rules configured
  • Security: Highly secure, tamper-resistant, can log to remote servers
  • Setup: Complex configuration required, needs root access
  • Usage: Configure rules with auditctl, logs automatically collected
  • Pros: Comprehensive system auditing, regulatory compliance, tamper-resistant
  • Cons: Complex setup, binary format, system-level focus (not session-specific)

2. Specialized Terminal Recording Tools

ttyrec

  • What it captures: Terminal output with exact timing information
  • Storage format: Binary format optimized for size
  • Playback: Using ttyplay command with original timing preserved
  • Storage requirements: Smaller than script command output
  • Security: Files stored locally, standard file permissions apply
  • Setup: Need to install ttyrec package
  • Usage: ttyrec filename to start recording
  • Pros: Compact files, exact timing replay, simple to use
  • Cons: Binary format (not human-readable), requires ttyplay for viewing

asciinema

  • What it captures: Terminal output, commands, and timing in JSON format
  • Storage format: Newline-delimited JSON (asciicast format)
  • Playback: CLI player, web player, or upload to asciinema.org
  • Storage requirements: Very small files (JSON is efficient)
  • Security: Can be stored locally or uploaded to asciinema.org
  • Setup: Install via package manager or pip
  • Usage: asciinema rec to record, asciinema play to replay
  • Pros: Small files, searchable format, easy sharing, modern solution
  • Cons: Requires installation, privacy concerns if uploading to web

tlog

  • What it captures: Full terminal I/O with metadata
  • Storage format: JSON sent to syslog/journald
  • Playback: Can replay sessions with tlog-play
  • Storage requirements: ~2KB default payload size, depends on activity
  • Security: Integrates with system logging, supports remote logging
  • Setup: Available in RHEL/CentOS, configuration required
  • Usage: Configure as user's shell or wrapper
  • Pros: Enterprise-ready, integrates with logging infrastructure, RHEL supported
  • Cons: More complex setup, primarily for RHEL-based systems

3. Legacy/Deprecated Tools

sudosh/sudosh2

  • What it captures: All I/O within a sudo session
  • Storage format: Local files in /var/log/sudosh
  • Playback: Built-in playback functionality
  • Storage requirements: Moderate, all I/O is logged
  • Security: Logs stored locally, requires network filesystem for centralization
  • Setup: Compile from source, configure as shell
  • Usage: Set as user's shell in /etc/passwd
  • Pros: Complete session recording, playback capability
  • Cons: No longer actively maintained, local storage only

rootsh

  • What it captures: Shell activity when running as root
  • Storage format: Syslog (local5.info by default)
  • Playback: No built-in playback
  • Storage requirements: Depends on syslog configuration
  • Security: Uses syslog for logging
  • Setup: Compile from source
  • Usage: Run as wrapper for shell
  • Pros: Simple logging solution
  • Cons: Deprecated in favor of sudo's built-in logging

4. Modern Solutions

sudo with I/O logging

  • What it captures: Input/output of sudo sessions
  • Storage format: Configurable (files or syslog)
  • Playback: sudoreplay command
  • Storage requirements: Depends on configuration
  • Security: Integrated with sudo's security model
  • Setup: Configure in sudoers file
  • Usage: Automatic when configured
  • Pros: No additional tools needed, well-integrated
  • Cons: Only captures sudo sessions

Commercial/Enterprise Solutions

  • Examples: Teleport, StrongDM, CyberArk PSM
  • What they capture: Complete sessions with metadata
  • Storage requirements: 50-250 KB per minute (typical)
  • Security: Enterprise-grade with access controls
  • Pros: Comprehensive features, compliance support
  • Cons: Cost, complexity, vendor lock-in

Recommendations

  1. For simple personal use: asciinema (modern, efficient) or script (no installation)
  2. For compliance/auditing: auditd with proper configuration
  3. For enterprise RHEL environments: tlog with centralized logging
  4. For exact replay needs: ttyrec or asciinema
  5. For modern DevOps: asciinema or integrated solutions like Teleport

Key Considerations

  • Storage: asciinema and tlog are most efficient
  • Security: auditd and tlog offer best security features
  • Ease of use: script and asciinema are simplest
  • Playback: asciinema offers best playback experience
  • Compliance: auditd and enterprise solutions best for regulatory requirements