Auditing SSH sessions?shell / ssh / tty session loggerssh returns “Bad owner or permissions on ~/.ssh/config”any way to run sudo before all commands automatically(well, sort of…read on)cd ~user isn't working when user is looked up on LDAPReuse remote ssh connections and reduce command/session logging verbosity?Kerberos SSH Man-in-the-Middle for Data SniffingEnable SSH shell access but disable SFTP accesscommands in authorized_keysWindows Server 2008 R2 - Failed login auditingBash script as use shell not working with SSH
What does this symbol on the box of power supply mean?
Is the Indo-European language family made up?
Text at the right of icon
Why is this Simple Puzzle impossible to solve?
Why does this if-statement combining assignment and an equality check return true?
How to use " shadow " in pstricks?
I unknowingly submitted plagarised work
Were pens caps holes designed to prevent death by suffocation if swallowed?
Construct a word ladder
Simple fuzz pedal using breadboard
Is it rude to call a professor by their last name with no prefix in a non-academic setting?
Why colon to denote that a value belongs to a type?
Does the unit of measure matter when you are solving for the diameter of a circumference?
Is CD audio quality good enough?
Is it possible to play as a necromancer skeleton?
Is it true that cut time means "play twice as fast as written"?
In general, would I need to season a meat when making a sauce?
If a person had control of every single cell of their body, would they be able to transform into another creature?
How to use Palladio font in text body but Computer Modern for Equations?
Why aren't space telescopes put in GEO?
Why doesn't the Earth accelerate towards the Moon?
Popcorn is the only acceptable snack to consume while watching a movie
Employer demanding to see degree after poor code review
Compactness of finite sets
Auditing SSH sessions?
shell / ssh / tty session loggerssh returns “Bad owner or permissions on ~/.ssh/config”any way to run sudo before all commands automatically(well, sort of…read on)cd ~user isn't working when user is looked up on LDAPReuse remote ssh connections and reduce command/session logging verbosity?Kerberos SSH Man-in-the-Middle for Data SniffingEnable SSH shell access but disable SFTP accesscommands in authorized_keysWindows Server 2008 R2 - Failed login auditingBash script as use shell not working with SSH
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I'm looking for a way that I can record and audit SSH sessions for users on my server. I need to be able to know when a user executed a command, what command they executed, and also be able to follow them through logins into other accounts (if a user were to run sudo -Hiu otheruser, the otheruser session should still be tracked from the main user's logs since they did not log in directly).
script doesn't seem to be a solution since the logs are recorded from the user's account which makes it vulnerable to tampering/destruction, and it also doesn't have timestamps for the commands.
Is there a commonly used tool / open source suite for a use case like this?
linux ssh audit
asked May 13 at 19:32
lonewaftlonewaft
971
add a comment |
I'm looking for a way that I can record and audit SSH sessions for users on my server. I need to be able to know when a user executed a command, what command they executed, and also be able to follow them through logins into other accounts (if a user were to run sudo -Hiu otheruser, the otheruser session should still be tracked from the main user's logs since they did not log in directly).
script doesn't seem to be a solution since the logs are recorded from the user's account which makes it vulnerable to tampering/destruction, and it also doesn't have timestamps for the commands.
Is there a commonly used tool / open source suite for a use case like this?
linux ssh audit
asked May 13 at 19:32
lonewaftlonewaft
971
add a comment |
I'm looking for a way that I can record and audit SSH sessions for users on my server. I need to be able to know when a user executed a command, what command they executed, and also be able to follow them through logins into other accounts (if a user were to run sudo -Hiu otheruser, the otheruser session should still be tracked from the main user's logs since they did not log in directly).
script doesn't seem to be a solution since the logs are recorded from the user's account which makes it vulnerable to tampering/destruction, and it also doesn't have timestamps for the commands.
Is there a commonly used tool / open source suite for a use case like this?
linux ssh audit
asked May 13 at 19:32
lonewaftlonewaft
971
I'm looking for a way that I can record and audit SSH sessions for users on my server. I need to be able to know when a user executed a command, what command they executed, and also be able to follow them through logins into other accounts (if a user were to run sudo -Hiu otheruser, the otheruser session should still be tracked from the main user's logs since they did not log in directly).
script doesn't seem to be a solution since the logs are recorded from the user's account which makes it vulnerable to tampering/destruction, and it also doesn't have timestamps for the commands.
Is there a commonly used tool / open source suite for a use case like this?
linux ssh audit
linux ssh audit
asked May 13 at 19:32
lonewaftlonewaft
971
asked May 13 at 19:32
lonewaftlonewaft
971
asked May 13 at 19:32
lonewaftlonewaft
971
asked May 13 at 19:32
lonewaftlonewaft
971
asked May 13 at 19:32
lonewaftlonewaft
971
971
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
This question seems to have been asked, and answered, many times before:
Stack Exchange to the Rescue
The second answer in particular seems to offer a potential solution using functionality built into SSHd itself as documented here SSH Recording but won't stand up to any determined effort to defeat it.
This technique in conjunction with the logger command may meet your requirements.
answered May 13 at 23:58
Shannon HaworthShannon Haworth
112
Wait, where is the bit where session recording is built into sshd itself? The page you linked to describes a really hacky way of recording sessions that is quite easy to bypass, that I can't imagine anyone describing as "elegant". What did I miss here?
– Michael Hampton♦
May 14 at 1:09
I may have overstepped by calling it 'elegant', I was quite astounded to learn that SSH supports adding a command before a ssh key within the authorized keys file: Add the forced command to each user's key:command="/usr/local/sbin/log-session" ssh-dss AAAAB3NzaC1kc3MAAAEBAMKr1HxJzOWRQCm16Sf...
– Shannon Haworth
May 14 at 13:35
The problem is that the user can just remove that themselves, or add a new key that doesn't have a command in it.
– Michael Hampton♦
May 14 at 18:42
@MichaelHampton agreed, I didn't assume ill intent on the part of the users, which the OP did hint at in the question. In a scenario where there is ill intent I doubt there is a solution that exists in userland. My intent in answering this question was to point out that this was a well worn path. Then I spotted the authorized keys feature, which I could have put to use many many times and was eager to share.
– Shannon Haworth
May 15 at 13:35
add a comment |
RHEL 8 has integrated session recording with the tlog package. For other distributions you could probably install it yourself.
answered May 13 at 19:51
Michael Hampton♦Michael Hampton
178k27325657
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f967092%2fauditing-ssh-sessions%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
This question seems to have been asked, and answered, many times before:
Stack Exchange to the Rescue
The second answer in particular seems to offer a potential solution using functionality built into SSHd itself as documented here SSH Recording but won't stand up to any determined effort to defeat it.
This technique in conjunction with the logger command may meet your requirements.
answered May 13 at 23:58
Shannon HaworthShannon Haworth
112
Wait, where is the bit where session recording is built into sshd itself? The page you linked to describes a really hacky way of recording sessions that is quite easy to bypass, that I can't imagine anyone describing as "elegant". What did I miss here?
– Michael Hampton♦
May 14 at 1:09
I may have overstepped by calling it 'elegant', I was quite astounded to learn that SSH supports adding a command before a ssh key within the authorized keys file: Add the forced command to each user's key:command="/usr/local/sbin/log-session" ssh-dss AAAAB3NzaC1kc3MAAAEBAMKr1HxJzOWRQCm16Sf...
– Shannon Haworth
May 14 at 13:35
The problem is that the user can just remove that themselves, or add a new key that doesn't have a command in it.
– Michael Hampton♦
May 14 at 18:42
@MichaelHampton agreed, I didn't assume ill intent on the part of the users, which the OP did hint at in the question. In a scenario where there is ill intent I doubt there is a solution that exists in userland. My intent in answering this question was to point out that this was a well worn path. Then I spotted the authorized keys feature, which I could have put to use many many times and was eager to share.
– Shannon Haworth
May 15 at 13:35
add a comment |
This question seems to have been asked, and answered, many times before:
Stack Exchange to the Rescue
The second answer in particular seems to offer a potential solution using functionality built into SSHd itself as documented here SSH Recording but won't stand up to any determined effort to defeat it.
This technique in conjunction with the logger command may meet your requirements.
answered May 13 at 23:58
Shannon HaworthShannon Haworth
112
Wait, where is the bit where session recording is built into sshd itself? The page you linked to describes a really hacky way of recording sessions that is quite easy to bypass, that I can't imagine anyone describing as "elegant". What did I miss here?
– Michael Hampton♦
May 14 at 1:09
I may have overstepped by calling it 'elegant', I was quite astounded to learn that SSH supports adding a command before a ssh key within the authorized keys file: Add the forced command to each user's key:command="/usr/local/sbin/log-session" ssh-dss AAAAB3NzaC1kc3MAAAEBAMKr1HxJzOWRQCm16Sf...
– Shannon Haworth
May 14 at 13:35
The problem is that the user can just remove that themselves, or add a new key that doesn't have a command in it.
– Michael Hampton♦
May 14 at 18:42
@MichaelHampton agreed, I didn't assume ill intent on the part of the users, which the OP did hint at in the question. In a scenario where there is ill intent I doubt there is a solution that exists in userland. My intent in answering this question was to point out that this was a well worn path. Then I spotted the authorized keys feature, which I could have put to use many many times and was eager to share.
– Shannon Haworth
May 15 at 13:35
add a comment |
This question seems to have been asked, and answered, many times before:
Stack Exchange to the Rescue
The second answer in particular seems to offer a potential solution using functionality built into SSHd itself as documented here SSH Recording but won't stand up to any determined effort to defeat it.
This technique in conjunction with the logger command may meet your requirements.
answered May 13 at 23:58
Shannon HaworthShannon Haworth
112
This question seems to have been asked, and answered, many times before:
Stack Exchange to the Rescue
The second answer in particular seems to offer a potential solution using functionality built into SSHd itself as documented here SSH Recording but won't stand up to any determined effort to defeat it.
This technique in conjunction with the logger command may meet your requirements.
answered May 13 at 23:58
Shannon HaworthShannon Haworth
112
edited May 15 at 13:37
answered May 13 at 23:58
Shannon HaworthShannon Haworth
112
answered May 13 at 23:58
Shannon HaworthShannon Haworth
112
answered May 13 at 23:58
Shannon HaworthShannon Haworth
112
112
Wait, where is the bit where session recording is built into sshd itself? The page you linked to describes a really hacky way of recording sessions that is quite easy to bypass, that I can't imagine anyone describing as "elegant". What did I miss here?
– Michael Hampton♦
May 14 at 1:09
I may have overstepped by calling it 'elegant', I was quite astounded to learn that SSH supports adding a command before a ssh key within the authorized keys file: Add the forced command to each user's key:command="/usr/local/sbin/log-session" ssh-dss AAAAB3NzaC1kc3MAAAEBAMKr1HxJzOWRQCm16Sf...
– Shannon Haworth
May 14 at 13:35
The problem is that the user can just remove that themselves, or add a new key that doesn't have a command in it.
– Michael Hampton♦
May 14 at 18:42
@MichaelHampton agreed, I didn't assume ill intent on the part of the users, which the OP did hint at in the question. In a scenario where there is ill intent I doubt there is a solution that exists in userland. My intent in answering this question was to point out that this was a well worn path. Then I spotted the authorized keys feature, which I could have put to use many many times and was eager to share.
– Shannon Haworth
May 15 at 13:35
add a comment |
Wait, where is the bit where session recording is built into sshd itself? The page you linked to describes a really hacky way of recording sessions that is quite easy to bypass, that I can't imagine anyone describing as "elegant". What did I miss here?
– Michael Hampton♦
May 14 at 1:09
I may have overstepped by calling it 'elegant', I was quite astounded to learn that SSH supports adding a command before a ssh key within the authorized keys file: Add the forced command to each user's key:command="/usr/local/sbin/log-session" ssh-dss AAAAB3NzaC1kc3MAAAEBAMKr1HxJzOWRQCm16Sf...
– Shannon Haworth
May 14 at 13:35
The problem is that the user can just remove that themselves, or add a new key that doesn't have a command in it.
– Michael Hampton♦
May 14 at 18:42
@MichaelHampton agreed, I didn't assume ill intent on the part of the users, which the OP did hint at in the question. In a scenario where there is ill intent I doubt there is a solution that exists in userland. My intent in answering this question was to point out that this was a well worn path. Then I spotted the authorized keys feature, which I could have put to use many many times and was eager to share.
– Shannon Haworth
May 15 at 13:35
Wait, where is the bit where session recording is built into sshd itself? The page you linked to describes a really hacky way of recording sessions that is quite easy to bypass, that I can't imagine anyone describing as "elegant". What did I miss here?
– Michael Hampton♦
May 14 at 1:09
Wait, where is the bit where session recording is built into sshd itself? The page you linked to describes a really hacky way of recording sessions that is quite easy to bypass, that I can't imagine anyone describing as "elegant". What did I miss here?
– Michael Hampton♦
May 14 at 1:09
I may have overstepped by calling it 'elegant', I was quite astounded to learn that SSH supports adding a command before a ssh key within the authorized keys file: Add the forced command to each user's key:
command="/usr/local/sbin/log-session" ssh-dss AAAAB3NzaC1kc3MAAAEBAMKr1HxJzOWRQCm16Sf...– Shannon Haworth
May 14 at 13:35
I may have overstepped by calling it 'elegant', I was quite astounded to learn that SSH supports adding a command before a ssh key within the authorized keys file: Add the forced command to each user's key:
command="/usr/local/sbin/log-session" ssh-dss AAAAB3NzaC1kc3MAAAEBAMKr1HxJzOWRQCm16Sf...– Shannon Haworth
May 14 at 13:35
The problem is that the user can just remove that themselves, or add a new key that doesn't have a command in it.
– Michael Hampton♦
May 14 at 18:42
The problem is that the user can just remove that themselves, or add a new key that doesn't have a command in it.
– Michael Hampton♦
May 14 at 18:42
@MichaelHampton agreed, I didn't assume ill intent on the part of the users, which the OP did hint at in the question. In a scenario where there is ill intent I doubt there is a solution that exists in userland. My intent in answering this question was to point out that this was a well worn path. Then I spotted the authorized keys feature, which I could have put to use many many times and was eager to share.
– Shannon Haworth
May 15 at 13:35
@MichaelHampton agreed, I didn't assume ill intent on the part of the users, which the OP did hint at in the question. In a scenario where there is ill intent I doubt there is a solution that exists in userland. My intent in answering this question was to point out that this was a well worn path. Then I spotted the authorized keys feature, which I could have put to use many many times and was eager to share.
– Shannon Haworth
May 15 at 13:35
add a comment |
RHEL 8 has integrated session recording with the tlog package. For other distributions you could probably install it yourself.
answered May 13 at 19:51
Michael Hampton♦Michael Hampton
178k27325657
add a comment |
RHEL 8 has integrated session recording with the tlog package. For other distributions you could probably install it yourself.
answered May 13 at 19:51
Michael Hampton♦Michael Hampton
178k27325657
add a comment |
RHEL 8 has integrated session recording with the tlog package. For other distributions you could probably install it yourself.
answered May 13 at 19:51
Michael Hampton♦Michael Hampton
178k27325657
RHEL 8 has integrated session recording with the tlog package. For other distributions you could probably install it yourself.
answered May 13 at 19:51
Michael Hampton♦Michael Hampton
178k27325657
answered May 13 at 19:51
Michael Hampton♦Michael Hampton
178k27325657
answered May 13 at 19:51
Michael Hampton♦Michael Hampton
178k27325657
answered May 13 at 19:51
Michael Hampton♦Michael Hampton
178k27325657
178k27325657
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f967092%2fauditing-ssh-sessions%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
