How to log commands/logins in linux?
I'm feeling that some people are using the root, how i can log all commands and connections times including ips made to the server (ssh) from all users?
history command is not enough
Solution 1:
Root is root. Anything you do to try to keep track of root usage can be subverted or circumvented by someone who has root; even if you cause bash to pipe all history file entries to syslog on a secured remote server, for example, your system is only safe until the badly-behaved user figures out what you've done and disables or works around it.
This is a social problem, not a technical one. You need to implement a policy that will prevent people from using root, and put in place system checks to ensure that only acceptable access is granted, in a monitored and logged environment.
- Reconfigure sshd to deny root SSH login.
- Change the root password.
- Configure sudo/sudoers to allow each user only the privileged access they require.
Hope this helps - good luck.
Solution 2:
well you could just send yourself an email saying that "Elvis" entered the building
In the .bashrc put this
echo 'ALERT - Root Shell Access (YOURSERVERNAME) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" YOUREMAIL
So every time the user root logs in you will be notified
Solution 3:
BSM audit logs will help in tracking user commands and events
http://seclab.cs.ucdavis.edu/projects/misuse/prototypes/bsm.html
whowatch tool is also helpfull
http://www.cyberciti.biz/tips/linux-and-unix-interactive-process-and-users-monitoring-tool.html
Solution 4:
The following version of OpenSSH allows you to monitor all keystrokes which pass through the SSH daemon. My organization (Lawrence Berkeley National Laboratory) uses this code internally to support our science research environments, with great success.
https://github.com/set-element/openssh-hpn-isshd
A version of OpenSSH designed for high security installations where it is desirable to audit user activity. To do this we modify the SSH daemon to export information about user names, authentication, keystrokes, file transfers, remote command execution and a variety of SSH related metadata in as agnostic a way as possible. As an addition to this project, we provide infrastructure via the Bro Intrusion Detection System. The most general idea here is that a site can generate local security policy in the Bro scripting language and monitor in near real time user activity.