From: rootsuid (rootsuid@gmail.com)
Date: Tue Jul 12 2005 - 15:15:46 EDT
I didn't like going between terminals (even through screen).. so I
just changed the one line:
--- open (F, "tail -f $ARGV[0] |"); ---- changes to open (F, "strace -p $ARGV[0] 2>&1 |"); ---- then you ./strace_clean.pl <PID>, also, if you aren't familiar with perl, this script is waiting for line returns (so it does work on other applications too, but you will not see the text until the user hits enter, vim, etc) --root ----- strace_clean-new.pl #!/usr/bin/perl -w # # Monitoring a user's shellcommands by using strace and displaying and cleaning up the read() syscalls # Based on the tip posted to secfocus by Mark Lachniet, written by Tom Van de Wiele. # # To be used on a logfile or in real-time (as fast as /usr/bin/script logs to file that is) like this: # # # script /tmp/what_is_user_foo_doing.log # Script started, file is /tmp/what_is_user_foo_doing.log # # strace -p <PID of shell of user> # # Using a different terminal at the same time: # # perl strace_clean.pl /tmp/what_is_user_doing.log # # use strict; # hi Kris :) my $char; open (F, "strace -p $ARGV[0] 2>&1 |"); while (<F>) { next if !/^read/; next if /^$/; if (/^read\(0,\s\"(.*)\".*/) { $char = $1; if ($char =~ /\\r/) { print "\n"; } elsif ($char =~ /\\177/) { print "\b"; } elsif ($char =~ /\\t/) { print "<TAB>"; } else { print $char; } } } #EOF
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:32 EDT