I’m looking for a way that I can record and audit SSH sessions for users on my server. I need to be able to know when a user executed a command, what command they executed, and also be able to follow them through logins into other accounts (if a user were to run
sudo -Hiu otheruser, the
otheruser session should still be tracked from the main user’s logs since they did not log in directly).
script doesn’t seem to be a solution since the logs are recorded from the user’s account which makes it vulnerable to tampering/destruction, and it also doesn’t have timestamps for the commands.
Is there a commonly used tool / open source suite for a use case like this?
RHEL 8 has integrated session recording with the
tlog package. For other distributions you could probably install it yourself.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.