Linux and UNIX Auditing Using screen

How screen is setup and started:

'screen' is not provided with Linux or Solaris 10 by default, but can be downloaded and installed easily. As with script, screen is not a dedicating auditing tool: Its original purpose is to be used as a multiplexing tool to connect various users to one session for collaboration. However, this very concept can be used for auditing as well.

Screen can be combined with SSH to force launching of screen immediately upon login, by creating an entry in authorized_keys: (Edit authorized_keys, determine whether there is any screen executable and associate it with the screen script.) In the example below, the script called 'wrapper' is used for this purpose.

Product Info

What screen records:

In the example configuration above, whenever the user enters any command, the command is run through the 'wrapper' script as an invariant variable 'SSH_ORIGINAL_COMMAND', and is logged by screen.

Security and audit implications:

Screen allows live monitoring of user activity, without buffering. It allows you to connect to the session from another session, with the second window exactly duplicating the original. However, it must be used in read only mode otherwise the second window will reflect typing in the original window and the user will become aware that of the auditing activity in real-time.

You can also disconnect from the session without terminating it, and return to it later.

The live monitoring and the disconnect/reconnect abilities make screen an improvement over script. But similar to script, screen does not record internals (spawned processes / commands). Only the interactive session is logged.

An SSH key can be used to login to the session to authenticate that screen is running.

When to use screen:

Screen is best for auditing purposes that require interactive collaboration. For example when the user knows that s/he is being monitored and the auditor provides feedback on actions being done within the session. Screen bridges a gap between a subset of security audit requirements and user training requirements.