12

All, I have an Ubuntu host that accepts SSH connections. How can I log all commands that are run on a specific account that logs in via SSH?

Thanks

Lexicon
  • 339

4 Answers4

5

Maybe you can make sshd use a logging shell like rootsh?

tohuwawohu
  • 7,352
  • how do you install rootsh on Ubuntu – Lexicon Mar 14 '12 at 20:14
  • @Lexicon: AFAIK there's no already-compiled deb package available, just a source archive. Installing an application from source is described here, for example. The INSTALL file located in the source archive describes the different config options you can set before compiling it. – tohuwawohu Mar 14 '12 at 21:46
4

You can try with snoopy. After you install it, will logs all input command that calls execve to syslog. you'll only find it in the repos for hardy and precise.

You can install it from here.

Nextoor
  • 49
  • 4
3

I don't think SSHD logs commands while the user is logged in.

you can check who logged in by checking

/var/log/auth.log

and cross reference it to their history

/home/sshuser/.bash_history

history will have commands local or remote though.

Matt Mootz
  • 569
  • 2
    auth.log contains session opened and closed info but not commands that were ran while logged in. .Bash_history only show local commands, nothing through the ssh session (at least from what I can tell). – Lexicon Mar 14 '12 at 14:38
  • ~/.bash_history will not work as the user can alter the file. – Panther Mar 14 '12 at 17:19
  • .bash_history is not showing what happens via ssh. – Lexicon Mar 22 '12 at 15:35
  • What is in .bash_history depends on how you've configured it. It may show anything from a mix of every concurrent shell session to nothing at all. (I export HISTFILE='' in my .bashrc on all systems to turn off recording history for security reasons, for example.) – cjs Jul 18 '17 at 02:57
1

I have a similar problem and wrote the tool log-user-session which stores all shell output into a root-only accessible session log file. It can be enabled via forced command on sshd_conf or ~/.ssh/authorized keys (see documentation).

Konrad Bucheli
  • 36
  • 1