Auditing SSH sessions?

lonewaft asked:

I’m looking for a way that I can record and audit SSH sessions for users on my server. I need to be able to know when a user executed a command, what command they executed, and also be able to follow them through logins into other accounts (if a user were to run sudo -Hiu otheruser, the otheruser session should still be tracked from the main user’s logs since they did not log in directly).

script doesn’t seem to be a solution since the logs are recorded from the user’s account which makes it vulnerable to tampering/destruction, and it also doesn’t have timestamps for the commands.

Is there a commonly used tool / open source suite for a use case like this?

My answer:


RHEL 8 has integrated session recording with the tlog package. For other distributions you could probably install it yourself.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.