LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page ssh command logging
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 03-18-2005, 07:18 AM   #1
jcookeman
Member
 
Registered: Jul 2003
Location: London, UK
Distribution: FreeBSD, OpenSuse, Ubuntu, RHEL
Posts: 417

Rep: Reputation: 33
ssh command logging

We have some servers that are only accessed by a few people. They are production critical, and therefore we would like to log all ssh access and commands issued to an external database.

Does anyone know offhand of a good method to do this. I was thinking of logging to syslog and then syslog handing off to a database.

However, I have not found any good information or patches for OpenSSH to make this happen. I checked the LogLevel directive for sshd_config and it just doesn't do what I want without cluttering the logs
 
Old 03-20-2005, 09:28 AM   #2
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 58
Take a look at this project:
http://sourceforge.net/projects/snoopylogger/
 
Old 03-21-2005, 06:15 AM   #3
jcookeman
Member
 
Registered: Jul 2003
Location: London, UK
Distribution: FreeBSD, OpenSuse, Ubuntu, RHEL
Posts: 417

Original Poster
Rep: Reputation: 33
Interesting. This wraps the exec() series of system calls to log to syslog. I have the info going to /var/log/snoopy right now.

The only issue with this is that it seems that your progs that use exec() series of calls has this info logged to syslog. While this can be good, it doesn't seem to discern between actual user typed commands and calls to exec() from within code.

There is a way to tune it for root only. So, I will check this further and may even extend the source to only cover calls from OpenSSH.

Thanks for the link,

Justin
 
Old 08-26-2008, 02:50 AM   #4
otheus
LQ Newbie
 
Registered: Jun 2006
Location: Austria
Distribution: RHEL AS 4
Posts: 25

Rep: Reputation: 16
extending command logging
Quote:
Originally Posted by jcookeman View Post
There is a way to tune it for root only. So, I will check this further and may even extend the source to only cover calls from OpenSSH.
As a dirty hack, you could have snoopy.c check for the existence of "SSH_CLIENT" or such, but someone could unset this environment variable and fork a sub-shell.

For /proc filesystems, I extended the code to see if the process is the ancestor of a certain named process. However, it is not fool-proof. For instance, its possible to run a process in the background, detached from any ancestor, and thus it would evade any such detection.

On the other hand, it might be possible to extend this code further to exclude processes that are children of, say, cron. But I would prefer to simply log the process with its associated caller. So, for instance, if the current process doesn't have a controlling terminal, find the oldest non-init ancestor process and log that information. This way things like logwatch can better decide how to deal with such info.

Check on the sourceforge bulletin boards for the patch I posted there.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SSH] Issue logging in [SSH & Permissions] MD3 Linux - Networking 11 12-10-2006 09:25 AM
SSH - Logging out r4merlin Linux - Networking 1 11-02-2003 12:50 PM
SSH problems logging in ra_adi Linux - Networking 3 10-22-2003 12:55 PM
logging onto SSH robmainella Linux - Newbie 5 08-26-2003 02:21 PM
Chrooting somebody logging into SSH... Grim Reaper Linux - Security 23 12-15-2002 11:24 AM


All times are GMT -5. The time now is 04:40 PM.

Contact Us - Advertising Info - Rules - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
 
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: @linuxquestions
Open Source Consulting | Domain Registration