How can I log user activity on SSH

Question

Possible Duplicate:
How do I log every command executed by a user?

How can I log SSH activity on 10.04 Ubuntu Server? This includes all commands he issued and output he got.

check this out http://serverfault.com/questions/140347/record-everything-on-command-line-centos-fedora-ubuntu — neolix, Feb 22 '12 at 07:03
Or even better, see this. http://serverfault.com/questions/336217/how-do-i-log-every-command-executed-by-a-user — Zoredache, Feb 22 '12 at 08:13

score 2 · Answer 1 · answered Feb 22 '12 at 08:01

2

2 options I see for you:

Use rootsh. Rootsh is a wrapper for shells which logs all echoed keystrokes and terminal output to a file and/or to syslog. It's main purpose is the auditing of users who need a shell with root privileges. They start rootsh through the sudo mechanism. This wil not log everything, only what they perform in a root shell.
Use screen. You can force users in a screen-session when they log on to your server, you can then use screen to log everything they type.

But the bottom-line is, if you don't trust a user, don't allow them on your system. No system is bulletproof.

answered Feb 22 '12 at 08:01

Bart De Vos

I guess `rootsh` is not a good option since they may or may not do actions with root privileges, but I need to know about all actions. For the `screen` I am not sure how to force and will they be aware easily that they are in screen? If you could give some hints on how to force ssh login to enter screen, then I might try experience. Actually it's not about breaking something on my system, just monitoring the job is done properly or not. It's not a security issue, just supervising. – Michael Feb 22 '12 at 08:09
The, you should probably have a look at this: http://serverfault.com/a/336234/59789 – Bart De Vos Feb 22 '12 at 08:24

score 0 · Answer 2 · answered Feb 22 '12 at 07:13

0

Possible screen as shell?

But its hard for be sure, that user cant hack that.

answered Feb 22 '12 at 07:13

Korjavin Ivan

Not possible. I just have couple users, which will be doing some job in their home dirs through ssh and I want to watch them with minimal efforts. – Michael Feb 22 '12 at 07:18
home dirs? couple users? who cares. screen just save log. – Korjavin Ivan Feb 22 '12 at 07:21
I can't force them to use screen and it should not be noticeable that I am going to watch them. – Michael Feb 22 '12 at 07:26

score 0 · Answer 3 · answered Feb 22 '12 at 07:45

0

Add:

LogLevel Debug3

to /etc/ssh/sshd_config and restart.

Note: "Logging with a DEBUG level violates the privacy of users and is not recommended."

answered Feb 22 '12 at 07:45

dmourati

)) this gives me really debug information such like `debug3: Wrote 52 byte for a total of 3931`. This is not what I want. Something human readable. – Michael Feb 22 '12 at 07:52
Try LogLevel Debug – dmourati Feb 22 '12 at 22:33

3 Answers3