1

Is there a way to log root commands from SSH on OpenVZ Node? I tried Snoopy and I was not able to exclude everything and leave only SSH commands.

@edit I want log ONLY commands sent through SSH/SFTP from remote host, because on my openvz node root is used to run many other commands locally. For example Snoopy is logging everything that happens on system (that is a lot of trash..), but I want to see what is done by any person on root by SSH/SFTP.

6DM
  • 11
  • 2

1 Answers1

0

As Aaron says, you need auditd. Your question is not a duplicate of this other one I found, but the accepted answer is perfect for you:

Log all commands run by admins on production servers

And I just found this:

https://askubuntu.com/questions/422243/how-to-audit-tty-for-a-specified-user-in-ssh-connection

It demonstrates that you need to use PAM to target SSH in the way you want by adding something along the lines of this to your configuration.

/etc/pam.d/sshd

session required pam_tty_audit.so enable=*
Community
  • 1
Ryan Babchishin
  • 6,160
  • 2
  • 16
  • 36
  • Why isn't it a duplicate? It looks like exactly the same question. – Michael Hampton Aug 10 '16 at 23:36
  • @MichaelHampton Because he's having an issue with filtering based on SSH "Log root SSH commands"... I guess you could say it's a duplicate, I see it as more specific. I have some more specific info to provide, updating my answer now. – Ryan Babchishin Aug 10 '16 at 23:38
  • 1
    And I expect he said ssh because of inexperience, not because he wanted to limit the auditing. – Michael Hampton Aug 10 '16 at 23:40
  • @MichaelHampton He said he couldn't exclude non-ssh stuff from snoopy logging. – Ryan Babchishin Aug 10 '16 at 23:44
  • Nope. I want log ONLY commands sent through SSH/SFTP from remote host, because on my openvz node root is used to run many other commands locally. For example Snoopy is logging everything that happens on system (that is a lot of trash..), but I want to see what is done by any person on root by SSH/SFTP. – 6DM Aug 11 '16 at 07:29
  • @MichaelHampton can you remove "duplicate"? – 6DM Aug 13 '16 at 09:13