SSH session logging

Question

We have a policy of logging all SSH session activity for CYA purposes with our clients. With PuTTY under windows this is trivial, as we can log each session to a file using PuTTY's built-in logging facility. But when working from Linux workstations, it's not quite as simple.

Note that server-side logging, while important for other reasons, is not part of what we're doing here. These session logs are for our own reference alone.

So far we've looked at the following options:

• Logging of ALL terminal activity using script triggered either in .bash_profile or as wrapper to the login shell (far from ideal)
• Replacing /usr/bin/ssh with a wrapper that starts a per-session log (better, but might have side-effects)
• Forcing all employees to use PuTTY for Linux instead of ssh from the command line (also very much not ideal)

Logging needs to be totally automatic, and ideally we want to be able to separate out different sessions into individual files.

Related:

• BASH shell session logging on remote host

Answer 1

If you are using Linux or FreeBSD, check out sudosh2:

sudosh is an auditing shell filter and can be used as a login shell. Sudosh records all keystrokes and output and can play back the session as just like a VCR. Sudosh2 is a continuation of the development of sudosh.

This will store a log of all TTY input and output (all keystrokes, including backspaces and other control characters). The output can be stored on the local machine, or can be sent to another server using syslog.

You don't state if your engineers are SSHing from a central server, or if they are all connecting from their own workstations. sudosh2 is ideal for a central server, but might be harder to implement on dozens of workstations.

Some others have used rootsh, but I am not familiar with rootsh.