UNIX and Linux Auditing using script
How script is setup and started:
'script' is a well-known tool used for basic auditing. In many installations, it comes preinstalled. When not, it can be added to any Linux or Solaris environment with no additional configuration is required.
Using script will start auditing as soon as a user types the command 'script'.
What script records:
All the typing activity and screen I/O is recorded once the script command is given. Content is saved in a default file named 'typescript', or in additional files if desired.
Security and audit implications:
Using script is quick and easy, but script is easy to circumvent, and so is difficult to enforce reliably. For example, one can bypass it simply by deleting the output typescript file, or by exiting out of the script session.
Additionally, script only displays interactive activity. It does not detail what might be taking place underneath the hood in system calls or processes spawned by an interactive command.
When to use script:
The best and most common use for script is to record and audit your own sessions. This is due to the fact that it is cumbersome to configure it as a reliable security auditing tool for other users. Other methods described below are better suited for monitoring other users.