System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Monitoring SSH sessions user activities

 
SOLVED
Go to solution
M.S
Advisor

Monitoring SSH sessions user activities

Hi All,

We have a server, where all users connect to before connecting to other servers beyond it.
Is there a way/tool which monitor each user what is doing on these servers (what commands they are performing) and save these info in a file.

Thanks,

4 REPLIES
Steven E. Protter
Exalted Contributor

Re: Monitoring SSH sessions user activities

Shalom,

Set the variables HISTFILE and HISTSIZE in the .profile for the user or /etc/profile and all commands will be recorded.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Matti_Kurkela
Honored Contributor
Solution

Re: Monitoring SSH sessions user activities

The shell history indicated by SEP is user-modifiable, so it's no good if you need the logs for audit/legal purposes.

We're using the "sudosh" utility to record any activities on system & application admin accounts on some critical systems, but the documentation indicates it's usable as a login shell wrapper too:

http://en.wikipedia.org/wiki/Sudosh

It records everything the user sees and does.
It's available as a source package, so you'll have to compile it.

Remember to allocate plenty of disk space for sudosh logs if you use it. If you run out of disk space for logs, your log record will of course be incomplete.

MK
MK
Mike Stroyan
Honored Contributor

Re: Monitoring SSH sessions user activities

You could edit /etc/ssh/sshd_config and tell
sshd to wrap particular logins in a script command. That is very intrusive. There would be no privacy!

# Log all output for users in group 'audited'
Match Group=audited
ForceCommand script -qfa -c 'bash -i' /tmp/snoop_$USER


The user needs access to the file that script is writing. You can prevent them from overwriting that data if you direct script to write into a named pipe that the data is copied out of.

# mknod /tmp/snoop_user1
# chmod 600 /tmp/snoop_user1
# cat < /tmp/snoop_user1 >> /var/log/snoop_user1 &
M.S
Advisor

Re: Monitoring SSH sessions user activities

Thx Guys,

Sudosh was a good idea.