From: rootsuid (rootsuid@gmail.com)
Date: Tue Jul 12 2005 - 15:15:46 EDT
I didn't like going between terminals (even through screen).. so I
just changed the one line:
---
open (F, "tail -f $ARGV[0] |");
---- changes to
open (F, "strace -p $ARGV[0] 2>&1 |");
----
then you ./strace_clean.pl <PID>,
also, if you aren't familiar with perl, this script is waiting for
line returns (so it does work on other applications too, but you will
not see the text until the user hits enter, vim, etc)
--root
----- strace_clean-new.pl
#!/usr/bin/perl -w
#
# Monitoring a user's shellcommands by using strace and displaying and
cleaning up the read() syscalls
# Based on the tip posted to secfocus by Mark Lachniet, written by Tom
Van de Wiele.
#
# To be used on a logfile or in real-time (as fast as /usr/bin/script
logs to file that is) like this:
#
# # script /tmp/what_is_user_foo_doing.log
# Script started, file is /tmp/what_is_user_foo_doing.log
# # strace -p <PID of shell of user>
#
# Using a different terminal at the same time:
# # perl strace_clean.pl /tmp/what_is_user_doing.log
#
#
use strict; # hi Kris :)
my $char;
open (F, "strace -p $ARGV[0] 2>&1 |");
while (<F>) {
next if !/^read/;
next if /^$/;
if (/^read\(0,\s\"(.*)\".*/) {
$char = $1;
if ($char =~ /\\r/) {
print "\n";
}
elsif ($char =~ /\\177/) {
print "\b";
}
elsif ($char =~ /\\t/) {
print "<TAB>";
}
else {
print $char;
}
}
}
#EOF
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:32 EDT