How to log all things that happened via an SSH session?

Question

Question: on an ex.: Linux or AIX machine, how can we log the things that happened via ssh? ex.: a user logged in, gaved out a few commands, or an automated tool executed something via ssh or someone simply issued a "ssh root@server commandhere" command?

Depending on the level of resources you are willing to throw at the problem, and the company policies in place, there are commercial products that you can install which will provide 100% logging of all sessions, so that an administrator can basically watch a movie of any particular session after the fact. — Don Simon, Apr 27 '15 at 17:20

score 4 · Answer 1 · answered Mar 14 '17 at 03:19

The sudo command ships with the ability to audit and then replay sessions. While most people use sudo to execute commands as root, you can define a simple rule that allows users to only sudo to themselves (e.g. nothing they couldn't already do!)

By using sudosh as the user's login shell, you can enforce that everything is logged (stdin, stdout, stderr, etc). It applies to both interactive and non-interactive shells and logs absolutely everything - even what transpires inside of an editor like vim.

Using the sudoreplay command, you can then review session transcripts. It will even replay logs where the user entered an interactive program like vim.

Enabling audit logs of sudo sessions is easy.

Add this to /etc/sudoers.d/sudosh

Defaults log_output
Defaults!/usr/bin/sudoreplay !log_output
Defaults!/sbin/reboot !log_output

To allow users to sudo to themselves, add a line like this to a file like /etc/sudoers.d/sudosh.osterman:

osterman ALL=(osterman) ALL

Then to force a user's session (e.g. osterman) to be logged, run:

chsh -s /usr/bin/sudosh osterman

Download sudosh here. It assumes you've already installed sudo.

score 2 · Answer 2 · edited Oct 16 '15 at 23:03

AIX has this in place for the default shell ksh, files are created in each users homedir named .sh_history

I have always like the addition of the EXTENDED_HISTORY=ON shell variable (export it in /etc/profile for example)

Now you can view the history with history -t or fc -t.

Please be aware, the history file is only created if an interactive shell is started, so i am not totally sure commands from scripts are logged in here.

If you really need to have this logging, and more i would advice to check out the IBM Auditing and Accounting redbook or go with tools like tripwire.

score 2 · Answer 3 · answered May 06 '18 at 02:09

PaSSHport answers this issue. It's open source and is placed over OpenSSH to manage ssh access.

When a user connect (or launch a command directly as in you "ssh root@server commandhere") it either launch the script command / log the command. So afterwards a "superadmin" can check the logs and check every command... and their results if it's via a script.

The soft is quite new but already used in a huge environnement.

How to log all things that happened via an SSH session?

3 Answers3