Auditing SSH sessions?

ssh linux audit

I'm looking for a way that I can record and audit SSH sessions for users on my server. I need to be able to know when a user executed a command, what command they executed, and also be able to follow them through logins into other accounts (if a user were to run sudo -Hiu otheruser, the otheruser session should still be tracked from the main user's logs since they did not log in directly).

script doesn't seem to be a solution since the logs are recorded from the user's account which makes it vulnerable to tampering/destruction, and it also doesn't have timestamps for the commands.

Is there a commonly used tool / open source suite for a use case like this?


This question seems to have been asked, and answered, many times before: Stack Exchange to the Rescue

The second answer in particular seems to offer a potential solution using functionality built into SSHd itself as documented here SSH Recording but won't stand up to any determined effort to defeat it.

This technique in conjunction with the logger command may meet your requirements.

Related

How to save to a "virtual local drive" and have the data streamed to a remote drive? [closed]
Can't set up DNS server with BIND9
Disable Postfix server TLS for specific clients
Can server and client both use a certificate with the same CN?
Logwatch Emails marked as spam; how to stop reverse DNS on bot hosts?
nginx not redirecting to https
Impossible to disable TLS 1.0 and 1.1
dnsmasq on virbr0 (libvirt) and network manager
Throttle or limit resources used by a user in a database?
SSL certificate for Domains not in use
Why does my server have a dedicated IPMI port?
Check integrity of .tar.gz backup