I would like to know how i could log SSH command lines a user is using on a server. For exemple, if the user Alex on my server is doing the following set of commands :
$ cd /tmp
$ touch myfile
$ ssh staff@10.0.0.1
$ ssh staff@10.0.0.2
$ vim anotherfile
$ ssh alex@192.168.0.12
I would like to log the ssh commands used on the server in a file which looks like :
[2014-07-25 10:10:10] Alex : ssh staff@10.0.0.1
[2014-07-25 10:18:20] Alex : ssh staff@10.0.0.2
[2014-07-25 11:15:10] Alex : ssh alex@192.168.0.12
I don't care what he did during his ssh session, i just want to know WHEN and TO WHERE he made a connection to another server.
The user is not using bash and i would like to avoid manipulating .bash_history anyway as the user can modify it.
Any clue on this ?
Thank you 🙂
edit : to be more specific :
a user connects to a server A and then connects from the server A to server B. I want to track down to which server he connects through ssh from server A.
Best Answer
You could do it in three different ways as i see it - There are most likely many other ways to do it as well! The best method would be to attach a audit tool to the kernels sysexec calls so it would be untraceable by the user etc. The two other ways would simply be to modify the shell environment to log it.
Instead of me (grabbing the code/answers from google) showing you how to do it. I will give you links to sites that have explained this detailed already. I hope it's exactly what you need.
Btw, the easiest way is by far just to include something in your main bashrc/profile to affect all users.
Anyway's, here are links to bashrc solutions.
1) Bashrc solution: How to log commands executed by all the users in Linux? 2) Bashrc/trap solution: Bash: History to Syslog
The other way (kernel level) would be to look into to tools audit or acct. There are many sites out there who tell you how to setup logging of commands via kernel sysexec calls.