There are sometimes I wish I had kept all of my history actions within the last 3 days, or I wish I could supervise what an other user have done to a system, I tried to find a way to log all ssh sessions to the server, logging them to syslog and keeping any action performed by every user! This is good for auditing some systems.
I thought that a good idea is to pass to system wide bashrc a prompt command like:
PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -t "$USER[$$] $SSH_CONNECTION")'
In debian you should edit the file: /etc/bash.bashrc and in centos the file: /etc/bashrc
If you want to start logging for the session you are in, you have to source the file you have edited, for example execute:
source /etc/bash.bashrc
in a debian system or
source /etc/bashrc
in a centos system.
From now on, every command, of every ssh session will be logged at/var/log/syslog on a debian system, and at /var/log/messages on a centos system.
In case you want to log them on a separate file and not mess up with other log files you can use:
PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -p local6.info -t "$USER[$$] $SSH_CONNECTION")'
instead of the previous PROMPT_COMMAND example and then configure the rsyslogd as needed.
For example at a Debian System edit the **/etc/rsyslog.conf** file:
change the line :
*.*;auth,authpriv.none -/var/log/syslog
to
*.*;auth,authpriv.none,local6 -/var/log/syslog
and add the following line to the end of the file:
local6.info /var/log/history.log
then execute:
touch /var/log/history.log && /etc/init.d/rsyslog restart
This article is from my own answer to unix.stackexchange.com:
My answer was downvoted by the owner of the question as out of topic, but I think is just a good practice when you want to audit a system, to log ssh sessions to the server or even better to a log server. So I publiced my own answer to my own blog.
출처 : webplay.pro
댓글