https://community.hpe.com/t5/operating-system-linux/monitoring-ssh-sessions-user-activities/m-p/4334114#M34794 Shalom,<BR /><BR />Set the variables HISTFILE and HISTSIZE in the .profile for the user or /etc/profile and all commands will be recorded.<BR /><BR />SEP Thu, 08 Jan 2009 15:30:07 GMT Steven E. Protter 2009-01-08T15:30:07Z https://community.hpe.com/t5/operating-system-linux/monitoring-ssh-sessions-user-activities/m-p/4334113#M34793 Hi All,<BR /><BR />We have a server, where all users connect to before connecting to other servers beyond it. <BR />Is there a way/tool which monitor each user what is doing on these servers (what commands they are performing) and save these info in a file.<BR /><BR />Thanks,<BR /><BR /> Thu, 08 Jan 2009 15:07:13 GMT https://community.hpe.com/t5/operating-system-linux/monitoring-ssh-sessions-user-activities/m-p/4334113#M34793 M.S 2009-01-08T15:07:13Z https://community.hpe.com/t5/operating-system-linux/monitoring-ssh-sessions-user-activities/m-p/4334114#M34794 Shalom,<BR /><BR />Set the variables HISTFILE and HISTSIZE in the .profile for the user or /etc/profile and all commands will be recorded.<BR /><BR />SEP Thu, 08 Jan 2009 15:30:07 GMT https://community.hpe.com/t5/operating-system-linux/monitoring-ssh-sessions-user-activities/m-p/4334114#M34794 Steven E. Protter 2009-01-08T15:30:07Z https://community.hpe.com/t5/operating-system-linux/monitoring-ssh-sessions-user-activities/m-p/4334115#M34795 The shell history indicated by SEP is user-modifiable, so it's no good if you need the logs for audit/legal purposes.<BR /><BR />We're using the "sudosh" utility to record any activities on system &amp; application admin accounts on some critical systems, but the documentation indicates it's usable as a login shell wrapper too:<BR /><BR /><A href="http://en.wikipedia.org/wiki/Sudosh" target="_blank">http://en.wikipedia.org/wiki/Sudosh</A><BR /><BR />It records everything the user sees and does.<BR />It's available as a source package, so you'll have to compile it.<BR /> <BR />Remember to allocate plenty of disk space for sudosh logs if you use it. If you run out of disk space for logs, your log record will of course be incomplete.<BR /><BR />MK Thu, 08 Jan 2009 15:43:36 GMT https://community.hpe.com/t5/operating-system-linux/monitoring-ssh-sessions-user-activities/m-p/4334115#M34795 Matti_Kurkela 2009-01-08T15:43:36Z https://community.hpe.com/t5/operating-system-linux/monitoring-ssh-sessions-user-activities/m-p/4334116#M34796 You could edit /etc/ssh/sshd_config and tell<BR />sshd to wrap particular logins in a script command. That is very intrusive. There would be no privacy!<BR /><BR /># Log all output for users in group 'audited'<BR />Match Group=audited<BR /> ForceCommand script -qfa -c 'bash -i' /tmp/snoop_$USER<BR /><BR /><BR />The user needs access to the file that script is writing. You can prevent them from overwriting that data if you direct script to write into a named pipe that the data is copied out of.<BR /><BR /># mknod /tmp/snoop_user1<BR /># chmod 600 /tmp/snoop_user1<BR /># cat &lt; /tmp/snoop_user1 &gt;&gt; /var/log/snoop_user1 &amp;<BR /> Thu, 08 Jan 2009 16:45:49 GMT https://community.hpe.com/t5/operating-system-linux/monitoring-ssh-sessions-user-activities/m-p/4334116#M34796 Mike Stroyan 2009-01-08T16:45:49Z https://community.hpe.com/t5/operating-system-linux/monitoring-ssh-sessions-user-activities/m-p/4334117#M34797 Thx Guys,<BR /><BR />Sudosh was a good idea.<BR /><BR /> Fri, 09 Jan 2009 12:45:01 GMT https://community.hpe.com/t5/operating-system-linux/monitoring-ssh-sessions-user-activities/m-p/4334117#M34797 M.S 2009-01-09T12:45:01Z