SSH session logging / recording

From lxadm | Linux administration tips, tutorials, HOWTOs and articles
Jump to: navigation, search

If you want to implement a simple server-side SSH session logging, follow these simple steps.

“script” command can be used to log user activity. Then, we can send the session as email to several recipients, and remove the log file.

Add this to user’s .bash_profile file, or simply construct something similar:

CURDATE=$(date +%F-%T)
RAND=$RANDOM
 
EMAILS="user@example.com otherrecipient@example.com"
 
script -f -q /tmp/session-$USER-$CURDATE-$RAND.log
for EMAIL in $EMAILS; do
    cat "/tmp/session-$USER-$CURDATE-$RAND.log" | mail -s "SSH session transcript for $USER at $CURDATE" $EMAIL
done
rm -f /tmp/session-$USER-$CURDATE-$RAND.log
exit

Notes:

  • don’t assume it to be any security feature: the log file can be easily manipulated or removed by the user, a different shell can be used, etc.,
  • sending an email may not be a good idea if you expect lots of output (i.e. cat /dev/urandom).