Logging all SSH Commands
Being the Geek that I am I have my own private cloud which I share with my friends for testing out distributions and playing war-games with each other. One of the configurations I like adding to servers to allow visibility of users is setting up TTY logging
You could of course just look at the users bash history but that can be easily wiped or removed by running a various commands such as:
The I do this is using the module pamttyaudit which most distributions have installed already, just not enabled (CentOS 5+ do anyway).
On Redhat based distributions all you need to do is add the following to /etc/pam.d/sshd
session required pam_tty_audit.so enable=*
This allows logging of all users, you can change this to only allow certain users for example to just log the user jay change the line to:
or disable certian users then
you can read the man page for pamttyaudit here. Once you are ready to go just restart the SSH daemon and you are good to go.
To view the log file you can use the reporting tool aureport by issuing the following command :
As you can see from the example output below you can see everything I done (su to root and the tail a file)
100. 09/16/2012 19:14:49 370 500 ? 6 bash ,,"su",,"exit", 101. 09/16/2012 19:14:48 366 500 ? 6 bash "exit", 102. 09/16/2012 19:17:16 396 500 ? 7 bash ,"exit", 103. 09/16/2012 19:25:30 422 500 ? 8 su "myrootpassword", 104. 09/16/2012 19:25:36 427 500 ? 8 bash "tail -f .",,"/var",,"log",,"se",,
This also brings in a security issue that if someone gets access root then there is possibility that they can view everyones unencrypted passwords, something to be aware of.