Log commands executed over ssh
I would like to log all commands executed over SSH.
Say,
ssh [email protected] COMMAND
I want to log "COMMAND" on server.com
I did search extensively but could not find anything.
There is one more similar question but i don't think there is a solution over there.
How to log "remote execution over SSH"
I can get a live view with
pstree -p | grep ssh
I did try Snoopy, auditd, and sudosh but could not log those commands over ssh.
There is a http://freecode.com/projects/shwatchr. but i am not able to download the script to test.
is there any other way to get this done?
Thanks.........
Solution 1:
i did a test using this option in my server suse lab and it work, but maybe there is better way.
ForceCommand logger -p user.notice "$SSH_ORIGINAL_COMMAND"
Solution 2:
Instead of focusing on SSH, take a step back and consider using auditd. I'm assuming that what you really want is to track the users, not tracking what is done from SSH as opposed to with other types of login.
man auditctl
should give you a starting point.
Solution 3:
I have found a way to do this. There is a perl script written by John M. Simpson(https://www.jms1.net/).
All you have to do is add
command="#{path to log-session}"
before each key in your ~/.ssh/authorized_keys
It works only if you have a password-less ssh, but this does solve my purpose to an extent.
http://www.jms1.net/log-session
Solution 4:
In my case I had the exact same requirement. The only caveat with this method is that I'm not sure how to make it work if you don't make use of ssh keys. I made a short bash script to log the command before executing it:
#!/bin/bash
echo "$(date -Is) ${SSH_ORIGINAL_COMMAND}" >> ~/sshcommands.log
sh "${SSH_ORIGINAL_COMMAND}"
I saved this command to ~/bin/log-commands then made it executable (chmod +x ~/bin/log-commands
).
In the authorized_keys file, I added the command=
parameter to the line belonging to the SSH key I wanted to have logs for, so it would be forced to run the log-commands script:
command="/home/tricky/bin/log-commands" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ......6J0C1 [email protected]
If someone is aware of the logging but doesn't want you to see the commands, they can simply go into an interactive session. As you mentioned, you already tried snoopy, which will do that for you. Popular alternatives I haven't tried are rootsh, sudosh, and log-user-session.