We use shared accounts on our servers. Each uses a different ssh key. Is there a way to create an audit trail of who ran what commands? We can distinguish real "users" by the ssh key used.
Asked
Active
Viewed 6,060 times
1
-
4I don't think there is a way, and especially not one that isn't easily bypassed or an ugly hack. It's much better to abolish shared accounts. – Falcon Momot Sep 26 '13 at 01:08
-
While we're still small, it's hugely convenient sharing accounts for things like pushing to prod. This isn't a trust issue, but rather being able to easily track down who's running long-running commands for example. – moinudin Sep 27 '13 at 07:32
1 Answers
2
I don't see a way to do it in one place, but if you're willing to trudge through the logs you can get SSHD to log the key fingerprint when someone logs in:
And then log the commands:
How do I log every command executed by a user?
Notice in the comments there's a note about getting this to work on ubuntu.
You can then connect the session ID found in the system logs to the command logs through ausearch:
http://linux.die.net/man/8/ausearch
In the end, if you can separate the accounts (and manage permissions based on a group?) that might simplify things for you.
-
Unfortunately the commands logged are more like key presses, so if a user hits up+enter those keys are logged rather than the command. – moinudin Sep 27 '13 at 07:29
-
1That is because the software doing the logging is unaware of the shell. If it operated any other way it could be defeated by running a subshell. – Falcon Momot Sep 27 '13 at 07:50