Audit of who ran what command via ssh with shared account
5,887
I don't see a way to do it in one place, but if you're willing to trudge through the logs you can get SSHD to log the key fingerprint when someone logs in:
And then log the commands:
How do I log every command executed by a user?
Notice in the comments there's a note about getting this to work on ubuntu.
You can then connect the session ID found in the system logs to the command logs through ausearch:
http://linux.die.net/man/8/ausearch
In the end, if you can separate the accounts (and manage permissions based on a group?) that might simplify things for you.
Related videos on Youtube
Comments
-
moinudin over 1 year
We use shared accounts on our servers. Each uses a different ssh key. Is there a way to create an audit trail of who ran what commands? We can distinguish real "users" by the ssh key used.
-
Falcon Momot over 10 yearsI don't think there is a way, and especially not one that isn't easily bypassed or an ugly hack. It's much better to abolish shared accounts.
-
moinudin over 10 yearsWhile we're still small, it's hugely convenient sharing accounts for things like pushing to prod. This isn't a trust issue, but rather being able to easily track down who's running long-running commands for example.
-
-
moinudin over 10 yearsUnfortunately the commands logged are more like key presses, so if a user hits up+enter those keys are logged rather than the command.
-
Falcon Momot over 10 yearsThat is because the software doing the logging is unaware of the shell. If it operated any other way it could be defeated by running a subshell.