Log commands executed over SSH

Question

I would like to log all commands executed over SSH.

Say,

ssh something@server.com COMMAND

I want to log "COMMAND" on server.com

I did search extensively but could not find anything.

There is one more similar question but I don't think there is a solution over there.

How to log "remote execution over SSH"

I can get a live view with

pstree -p | grep ssh

I did try Snoopy, auditd, and sudosh but could not log those commands over SSH.

There is a http://freecode.com/projects/shwatchr, but I am not able to download the script to test.

Is there any other way to get this done?

Answer 1

Instead of focusing on SSH, take a step back and consider using auditd. I'm assuming that what you really want is to track the users, not tracking what is done from SSH as opposed to with other types of login.

man auditctl should give you a starting point.

Answer 2

i did a test using this option in my server suse lab and it work, but maybe there is better way.

ForceCommand logger -p user.notice "$SSH_ORIGINAL_COMMAND"

Answer 3

I have found a way to do this. There is a perl script written by John M. Simpson(https://www.jms1.net/).

All you have to do is add

command="#{path to log-session}"

before each key in your ~/.ssh/authorized_keys

It works only if you have a password-less ssh, but this does solve my purpose to an extent.

http://www.jms1.net/log-session

Answer 4

Would Snoopy help you out with this? “Log every executed command to syslog (a.k.a. Snoopy Logger).”

https://github.com/a2o/snoopy

Answer 5

If you want to log ssh commands and still allow ssh login sessions using the same key you will need to modify zaTricky's solution:

#!/bin/bash
if [ -z "${SSH_ORIGINAL_COMMAND}" ]; then
  /bin/bash -il
else
  echo "$(date -Is) ${SSH_ORIGINAL_COMMAND}" >> ~/.ssh/sshcommands.log
  /bin/bash -c "${SSH_ORIGINAL_COMMAND}"
fi

In authorized_keys:

command="/home/<user>/.ssh/log_commands.sh" ssh-ed25519 ...

Don't forget to mark the script as executable:

chmod u+x ~/.ssh/log_commands.sh

Lines:

1. shebang
2. check if command is empty
3. if so start a login and interactive shell
4. else
5. log the command
6. and execute it

If you also want to log all bash commands put this in .bashrc either in the user or root account depending which commands you want to log:

# for bash logging
export PROMPT_COMMAND='echo "$(history 1)" >> ~/.ssh/bash_commands.log'
export HISTTIMEFORMAT='%F %T '   # Format: YYYY-MM-DD HH:MM:SS

Don't forget:

chmod 600 ~/.ssh/bash_commands.log

Answer 6

Have you tried SSHLog https://github.com/sshlog/agent/ (I'm a contributor)? This will log each COMMAND to a log file, for example:

2023-04-09 15:15:05: command_start          (653204) jdoe executed /usr/bin/whoami
2023-04-09 15:15:05: command_finish         (653204) jdoe execute complete (exit code: 0) /usr/bin/whoami

In this example, if a user SSH into your server and types "whoami" it would generate this log data.

Answer 7

In my case I had the exact same requirement. The only caveat with this method is that I'm not sure how to make it work if you don't make use of ssh keys. I made a short bash script to log the command before executing it:

#!/bin/bash
echo "$(date -Is) ${SSH_ORIGINAL_COMMAND}" >> ~/sshcommands.log
sh "${SSH_ORIGINAL_COMMAND}"

I saved this command to ~/bin/log-commands then made it executable (chmod +x ~/bin/log-commands).

In the authorized_keys file, I added the command= parameter to the line belonging to the SSH key I wanted to have logs for, so it would be forced to run the log-commands script:

command="/home/tricky/bin/log-commands" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ......6J0C1 tricky@tricky-testing.mydomain

If someone is aware of the logging but doesn't want you to see the commands, they can simply go into an interactive session. As you mentioned, you already tried snoopy, which will do that for you. Popular alternatives I haven't tried are rootsh, sudosh, and log-user-session.

Answer 8

Warning: If you are connecting remotely via SSH, read the answer in full before attempting any of the steps to avoid being locked out.

In /etc/ssh/sshd_config, add the following line:

ForceCommand logger -p user.notice "$SSH_ORIGINAL_COMMAND"

And then reload ssh systemctl reload ssh. Commands executed via ssh will now be sent to the system log file (eg. /var/log/syslog for Ubuntu, possibly /var/log/messages for your distro). However, the commands will no longer execute. Therefore, you should not close your existing ssh session to test if it works. Attempt to open a new one instead. If you would like your commands to execute, try this line:

ForceCommand logger -p user.notice "$SSH_ORIGINAL_COMMAND"; bash -c "$SSH_ORIGINAL_COMMAND"

This command uses bash to execute the command after logging it using logger. Example usage:

> ssh ubuntu@ubuntu-server ls -al
total 36
drwxr-x--- 4 ubuntu ubuntu 4096 Apr 21 17:50 .
drwxr-xr-x 3 root   root   4096 Apr 21 17:07 ..
-rw------- 1 ubuntu ubuntu  148 Apr 21 17:14 .bash_history
-rw-r--r-- 1 ubuntu ubuntu  220 Jan  6  2022 .bash_logout
-rw-r--r-- 1 ubuntu ubuntu 3771 Jan  6  2022 .bashrc
drwx------ 2 ubuntu ubuntu 4096 Apr 21 17:08 .cache
-rw-r--r-- 1 ubuntu ubuntu  807 Jan  6  2022 .profile
-rw------- 1 ubuntu ubuntu    0 Apr 21 17:46 .python_history
drwx------ 2 ubuntu ubuntu 4096 Apr 21 17:47 .ssh
-rw-r--r-- 1 ubuntu ubuntu    0 Apr 21 17:08 .sudo_as_admin_successful
-rw------- 1 ubuntu ubuntu 1369 Apr 21 17:50 .viminfo

ubuntu@ubuntu-server:~$ tail -3 /var/log/syslog 
Apr 21 17:51:01 ubuntu-server systemd[1]: Started Session 5 of User ubuntu.
Apr 21 17:51:02 ubuntu-server ubuntu: ls -al
Apr 21 17:51:02 ubuntu-server systemd[1]: session-5.scope: Deactivated successfully.

Note that your shell still might not start in interactive mode.