You will need support for that in your shell. If users use bash, they have a .bash_history in their home directory. You can prevent users from using other shells. .bash_history is however not reliable, and can be avoided (even deleted) by users.
NOTE: make sure users get a legal message saying something like 'Unauthorized access prohibited. All the contents of this session will be logged. Usage implies that you agree to the terms of service.'
The only way to do what you want is to log the whole connection (I know it can be done, but not how). this may prove to be useless, and even problematic, especially if a user screws up and does something like:
cd /; ls -R . Or, even worse, if he uses a full-screen application (emacs -nw, nano. pico, vi, any editor) you will get loads of junk dumped in your log file. A user may even use this to hide malicious activities (ex. he could use the shell-exec feature in an editor to hide the malicious command in the middle of the editor garbage. He could also do 'nano badcommands.sh; ./badcommands.sh' to hide the commands.
Look at
http://archives.neohapsis.com/archiv...9-q4/0224.html
SSH has a flag to turn this on (man sshd.config):
Quote:
LogLevel
Gives the verbosity level that is used when logging messages from
sshd. The possible values are: QUIET, FATAL, ERROR, INFO, VER-
BOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO.
DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
higher levels of debugging output. Logging with a DEBUG level
violates the privacy of users and is not recommended.
|
Note: I don't know how this works with full-screen editors.
Also, don't use telnet, it sends passwords in cleartext.
