0

I'm looking for a way that I can record and audit SSH sessions for users on my server. I need to be able to know when a user executed a command, what command they executed, and also be able to follow them through logins into other accounts (if a user were to run sudo -Hiu otheruser, the otheruser session should still be tracked from the main user's logs since they did not log in directly).

script doesn't seem to be a solution since the logs are recorded from the user's account which makes it vulnerable to tampering/destruction, and it also doesn't have timestamps for the commands.

Is there a commonly used tool / open source suite for a use case like this?

lonewaft
  • 117
  • 1
  • 2

2 Answers2

1

This question seems to have been asked, and answered, many times before: Stack Exchange to the Rescue

The second answer in particular seems to offer a potential solution using functionality built into SSHd itself as documented here SSH Recording but won't stand up to any determined effort to defeat it.

This technique in conjunction with the logger command may meet your requirements.

Shannon Haworth
  • 11
  • 2
  • Wait, where is the bit where session recording is built into sshd itself? The page you linked to describes a really hacky way of recording sessions that is quite easy to bypass, that I can't imagine anyone describing as "elegant". What did I miss here? – Michael Hampton May 14 '19 at 01:09
  • I may have overstepped by calling it 'elegant', I was quite astounded to learn that SSH supports adding a command before a ssh key within the authorized keys file: Add the forced command to each user's key: ```command="/usr/local/sbin/log-session" ssh-dss AAAAB3NzaC1kc3MAAAEBAMKr1HxJzOWRQCm16Sf...``` – Shannon Haworth May 14 '19 at 13:35
  • The problem is that the user can just remove that themselves, or add a new key that doesn't have a command in it. – Michael Hampton May 14 '19 at 18:42
  • @MichaelHampton agreed, I didn't assume ill intent on the part of the users, which the OP did hint at in the question. In a scenario where there is ill intent I doubt there is a solution that exists in userland. My intent in answering this question was to point out that this was a well worn path. Then I spotted the authorized keys feature, which I could have put to use many many times and was eager to share. – Shannon Haworth May 15 '19 at 13:35
0

RHEL 8 has integrated session recording with the tlog package. For other distributions you could probably install it yourself.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972