Hey guys,

I just wanted to ask if anyone here knows a way to log commands ran by users via ssh (ie: no bash shell).

I've got /etc/profile set up to use logger and logname to log whatever a user types in their bash shell to syslog-ng. This does not work to log what I and other sysadmins do in ssh loops (which I do often to do work on multiple servers). A very simple example of something we might do is:

for i in server1 server2 server3 ; do ssh user@$i "uname -a" ; done

I would like to log that 'user' ran 'uname -a'! I've experimented with a package called snoopy, which records all exec() calls made by users and it does indeed catch 'uname -a', but it spams the logs with a bunch of other system call info which I do not want. I've got syslog-ng and can set up whatever filters to catch stuff...i just need the commands to show up SOMEWHERE so that when something screws up we can audit and backtrack.

I was just wondering if anyone here has dealt with this problem before and if they had come up with anything?

I blundered across this but haven't tried it out yet...

The link explains using 'script'. I'd suggest using 'Rootsh' instead. Try both, you'll see why.

Unfortunately, both of those monitor shell sessions. SSHd seems to be making exec() calls without invoking a proper shell. If i or any other admin wanted to, say, install snmpd on 15 boxes i'm not going to log into each one, im going to do for i in `cat serverlist` ; do ssh $i "sudo yum install snmpd -y" ; done.

It looks like I'm going to have to look at process accounting. Should probably do this anyways to keep track of config management daemons.

Anyways figured I'd ask. I've used psacct packages and they kind of suck. If anyone knows of something that could keep track of sshd feel free to post! Snoopy does it but it's kinda hokey, not sure how well it would stand up in a production environment.

Thanks

There's other ways to log syscalls. In kernel 2.4 you had Syscalltrace and GRSecurity verbose logging. In kernel 2.6 GRSecurity should still be usable in terms of logging syscalls, else the Audit package should be able to. Whichever option you chose, it would need to be set up properly before use though the level of invasiveness depends on the distributions and kernels in use.

Maybe I don't understand you, but what's wrong with using sudo?
From the sudo manpage:

Cool thanks for the info unSpawn. I will likely report back here once I finally get the chance to work on this. After a quick search, it looks like the latest 2.6.x series linux kernels have some pretty good accounting updates.

chrism01, sudo does indeed log even if you're calling a command from ssh without invoking a shell:
zigz$ ssh user@host1 "sudo this gets ran and logged on host1"

but nothing gets logged in this scenario:
zigz$ ssh user@host1 "this gets ran on host1 but does not get logged"

Sysadmins are not going to use sudo when they don't need to, and unprivileged users can't use sudo. Also if root ssh logins are enabled sudo is never needed.