1820475 Members
2939 Online
109624 Solutions
New Discussion юеВ

ssh user session logs

 
M. Ismail
Advisor

ssh user session logs

Hi *,

Is it possible to capture ssh[HP-UX Secure Shell] session information[log of the commands entered during the ssh user login session].

Regds,
Ismail.
No problem can stand the assault of sustained thinking.
13 REPLIES 13
Robert-Jan Goossens
Honored Contributor

Re: ssh user session logs

Hi Ismail,

You will have to enable accounting, take a look at next thread.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?admit=716493758+1081242352218+28353475&threadId=88105

Hope this helps,
Robert-Jan
Ralph Grothe
Honored Contributor

Re: ssh user session logs

Try to increase the sshd's loglevel.
It is per default informational.

e.g.

$ grep LogLevel /etc/ssh/sshd_config
#LogLevel INFO

try debug, and send the leading ssd a SIGHUP

e.g.

# kill -HUP $(cat /var/run/sshd.pid)

Maybe this could produce what you're expecting.
But I cannot tell since I'm not running sshd in this mode.

Also read the manpage of sshd
Madness, thy name is system administration
T G Manikandan
Honored Contributor

Re: ssh user session logs

you will have to set this in the sshd_config file .

The file is located at the ssh installation dir.on my installation it is under /usr/local/etc/openssh/sshd_config

#SyslogFacility AUTH
#LogLevel INFO
Uncomment the above lines which should enable logging.

THanks
M. Ismail
Advisor

Re: ssh user session logs

Hi All,

Thanks a lot for your replies!

Dear Ralph,

I did change the logging level to debug.
But could you please let me know the location of the log file, which will contain this debug information.
I did check the man page but could not find the log location.

Thanks & Regards,
Ismail.
No problem can stand the assault of sustained thinking.
Andrew Cowan
Honored Contributor

Re: ssh user session logs

You have to define a logfile to capture information for this trap level e.g. LOCAL4.INFO. You do this by adding an entry into the "/etc/syslogd.conf".

LOCAL4.INFO /var/log/sshd.log

(Remeber to use a TAB character and not spaces between the fields "INFO/var...")
Next create a blank file "touch logfile", then restart syslog.

If you then restart sshd, you should see a new entry in the log file. I always change ssh to log at a separate level e.g. LOCAL4 as it prevents other programs from dumping spurious entries in your logfile.
M. Ismail
Advisor

Re: ssh user session logs

Thanks for your replies,

I tried using the 'debug' log level in ssh, & modified the syslog to direct the debug messages to a separate log file.
But the messages that appear in the log file are the ssh handshaking messages & other messages.
But what i require is the list of the commands entered by the users during their ssh session,
to monitor if the user have deleted any file
or have changed any settings.

I also tried to change the log level to LOCAL4,
after doing this change i was unable to start ssh it give me the following message
"10453: /opt/ssh/etc/sshd_config line 31: unsupported log level 'LOCAL4'
EXIT CODE: 255"

I also tried with the INFO log level, but even this level does not give me the list of the commands entered by the user.

Is there any log level which can me the log of the commands entered by the user.

or Does the Accounting(Acct) on HP-UX have the facility to log the commands entered by the user.If so it will be great if someone can let me know the steps to configure it.

Thanks a lot!

Regds,
Ismail.
No problem can stand the assault of sustained thinking.
Andrew Cowan
Honored Contributor

Re: ssh user session logs

OK. What you need to do is to edit the "/etc/ssh/sshd_config" and change the LOGLEVEL from INFO to DEBUG, then edit the "/etc/syslog.conf" to match, and restart both daemons.

There are two points here. One there is a privacy issue here that may land you in legal hot water, and two, the log will be extremely verbose and grow very quickly. You will therefore, have to create a large separate and secure storage area for this log, and also regularly manage it's size.
Tomek Gryszkiewicz
Trusted Contributor

Re: ssh user session logs

Maybe instead of loggind sshd, try to change the shell for the users which you want to "investigate"?
AFAIR restricted shell can do such things.

-Tomek
Ralph Grothe
Honored Contributor

Re: ssh user session logs

Hi Mohammed,

sorry for not responding to you.
(I haven't marked the email notification field)

I see you already did as Andrew adviced you by configuring your syslogd.
It is indeed advisable to separate output of your daemons from the global syslog.log especially when you run them in the very verbose DEBUG level (but don't forget any applications that linger logging in debug mode, they'll pretty soon fill up your filesystems)
The sshd falls under the log facility daemon.
But as you noticed, it seems that the various SSH loglevels only care for the connection, authentification, and authorization phases (which is natural since this usually causes users and admins the most headache, if any)
If you really want to monitor what your users are doing, once they are logged in, I'd stick with T.G.'s suggestion and look for some auditing software plugin.
I'm afraid that I cannot help you with that because on our servers we don't really have the need for that (lucky us).
We don't have to host for real Unix users since all of the application users are database users that are managed by the DB engines, and don't require to have a Unix home and shell.


Madness, thy name is system administration
M. Ismail
Advisor

Re: ssh user session logs

Dear all,

Thanks a lot for all of your efforts.

I do agree with TG & Ralph, that it might be possible to capture the user activity by customizing the shell.

I will do some investigation regarding the the shell.

Thanks a lot!

Regds,
Ismail.
"No problem can stand the assault of sustained thinking"
No problem can stand the assault of sustained thinking.
Bill Hassell
Honored Contributor

Re: ssh user session logs

As mentioned, ssh logging only refers to the protocol, not the text sent to/from the user's shell. If the shell is a POSIX shell such as ksh or /usr/bin/sh, then make sure the HISTFILE env variable is set to:

export HISTFILE=$HOME/.sh_history

This is the simplest logging method. It won't tell you what was typed when using vi or other interactive commands. For that, you would need to use the script command to log every keystroke. Just add it to the user's .profile at the end.


Bill Hassell, sysadmin
Wodisch
Honored Contributor

Re: ssh user session logs

Salam,

if you need access to all the characters typed and/or shown using "ssh", then you'll have to write, install, and use what is called a "STREAMS module". That module of yours has to be linked into your kernel, and then it has to be "pushed" onto the stream used by the ssh-session.
The module itself would then log everything going "upstream" (from keyboard to the shell) or "downstream" (output to the screen) and would have to make that accessible using "ioctl(2)".
Read the documentation about "STREAMS" for more details.
BTW, we are talking about implementing "spyware", aren't we?
You might violate local laws doing this!

FWIW,
Wodisch
M. Ismail
Advisor

Re: ssh user session logs

wa..salaam,

Dear Wodisch,

Your note makes sense.
I will investigate into this.

The session logs are required because we have different 'root' & other admin users logging to our system from different countries.

Thanks a lot!

Regds,
Ismail.
No problem can stand the assault of sustained thinking.