How to log commands/logins in linux?

ssh security linux command login

I'm feeling that some people are using the root, how i can log all commands and connections times including ips made to the server (ssh) from all users?

history command is not enough


Solution 1:

Root is root. Anything you do to try to keep track of root usage can be subverted or circumvented by someone who has root; even if you cause bash to pipe all history file entries to syslog on a secured remote server, for example, your system is only safe until the badly-behaved user figures out what you've done and disables or works around it.

This is a social problem, not a technical one. You need to implement a policy that will prevent people from using root, and put in place system checks to ensure that only acceptable access is granted, in a monitored and logged environment.

  1. Reconfigure sshd to deny root SSH login.
  2. Change the root password.
  3. Configure sudo/sudoers to allow each user only the privileged access they require.

Hope this helps - good luck.

Solution 2:

well you could just send yourself an email saying that "Elvis" entered the building

In the .bashrc put this

echo 'ALERT - Root Shell Access (YOURSERVERNAME) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" YOUREMAIL

So every time the user root logs in you will be notified

Solution 3:

BSM audit logs will help in tracking user commands and events

http://seclab.cs.ucdavis.edu/projects/misuse/prototypes/bsm.html

whowatch tool is also helpfull

http://www.cyberciti.biz/tips/linux-and-unix-interactive-process-and-users-monitoring-tool.html

Solution 4:

The following version of OpenSSH allows you to monitor all keystrokes which pass through the SSH daemon. My organization (Lawrence Berkeley National Laboratory) uses this code internally to support our science research environments, with great success.

https://github.com/set-element/openssh-hpn-isshd

A version of OpenSSH designed for high security installations where it is desirable to audit user activity. To do this we modify the SSH daemon to export information about user names, authentication, keystrokes, file transfers, remote command execution and a variety of SSH related metadata in as agnostic a way as possible. As an addition to this project, we provide infrastructure via the Bro Intrusion Detection System. The most general idea here is that a site can generate local security policy in the Bro scripting language and monitor in near real time user activity.

Related

554+5.2.0+STOREDRV.Submission.Exception:SendAsDeniedException in IIS SMTP Relay When Scanning to Email from a Sharp MX-M364N
Smart UPS 2200 question
Nginx HHVM Wordpress issue with PHP Execution in one intermediate subdirectory
Puppet - Any way to copy predefined custom configuration files for software on clients from the puppet master (host)?
using correct number of DIMMS for best memory performance Intel Xeon scalable cpu
Proxy URL to different port via Lighttpd
IIS 7 - 401.2 error by hostname but not by IP address
IP addresses and geographical locations
NetScaler Gateway for MAC is not connecting correctly: Protocoll shows "AGAS: Failed to initialise ssl vpn plugin"
Set up DPM to use hardware VSS Provider with EMC Clariion SAN
Certificate issue with RemoteApp on Server 2008
Solution for two-way file-system transparent solution