Are there SSH proxies for logging?

H

Horzerus2014-08-11 17:16:03

SSH

Horzerus, 2014-08-11 17:16:03

Task - for security reasons, it is required to log all user actions (execution of commands) in the ssh terminal, in order to be able to analyze the history (if necessary).
Perhaps there is some kind of software something like "SSH-proxy" that passes SSH traffic through itself and at the same time keeps a log at the level of using commands / "terminal-sheets"?
Usual scenario:

C SSH-proxy:

Or maybe . is it worth looking in some other direction to solve the current problem?
Thank you.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

S

Semyon Voronov, 2014-08-11
@Gineaser

Try the snoopy (snoopy logger) ELF library . There are ready packages for most rpm/deb systems.
Logs all executable console commands, all run scripts, etc. You can get around it only by disabling the preload of the library (you actually need to have superuser rights).
The output in the logs is extremely detailed and informative. Example:

Aug 10 06:30:01 ctrx snoopy[15967]: [uid:0 sid:15967 tty: cwd:/root filename:/usr/bin/scp]: scp [email protected]***********:/home/www-data/downld02.txt /var/www/ctrx.com/collect/downld02.txt
Aug 10 06:30:01 ctrx snoopy[15968]: [uid:0 sid:15968 tty: cwd:/root filename:/srv/www/forum.ctrx.com/bin/collect-stats]: /srv/www/forum.ctrx.com/bin/collect-stats
Aug 10 06:30:01 ctrx snoopy[15966]: [uid:0 sid:15966 tty: cwd:/root filename:/srv/www/www.ctrx.com/bin/process-collect-data]: /srv/www/www.ctrx.com/bin/process-collect-data
Aug 10 06:30:01 ctrx snoopy[15969]: [uid:0 sid:15969 tty: cwd:/root filename:/usr/bin/sync-video]: /usr/bin/sync-video
Aug 10 06:30:01 ctrx snoopy[15971]: [uid:0 sid:15969 tty: cwd:/root filename:/usr/bin/basename]: basename /usr/bin/sync-video
Aug 10 06:30:01 ctrx snoopy[15973]: [uid:0 sid:15969 tty: cwd:/root filename:/usr/bin/flock]: flock -n 9
Aug 10 06:30:01 ctrx snoopy[15974]: [uid:0 sid:15969 tty: cwd:/root filename:/usr/bin/rsync]: rsync -a -L --log-file=/var/log/sync.log [email protected]**********:/srv/video /var/www/ctrx.com/alias.ctrx.com/docs/projects/ctrx.com/
Aug 10 06:30:02 ctrx CRON[15963]: pam_unix(cron:session): session closed for user root
Aug 10 06:30:02 ctrx snoopy[15977]: [uid:106 sid:44096 tty: cwd:/ filename:/bin/cat]: cat /proc/diskstats

As you can see, the exact date, host, uid, sid, terminal, pwd, command is logged.
Next, you can already configure syslog-ng / rsyslog on the host to separate snoopy logs (everything flies to auth.log by default) and if there is a need to send via tcp /udp to the log collector for further analysis and storage.
Personally, I try to combine it with standard auth, authpriv and separate it by host / user in order to see who logged in when and what they did, as well as filter out garbage from service users like zabbix (from zabbix- agentd), which executes a bunch of commands and, in principle, is not needed in the
PS logs. By the way, thanks to this library, I learned a lot about the processes occurring in different systems (Debian 6.7, Arch, RH5, Ubuntu Server 12.04/14.04) without my knowledge about them " hidden life." Particularly struck by Ubuntu Server in a bad way.
Another bug was found in Debian 6 in bash_completion scripts. Wheezy has already fixed it.

B

BAV_Lug, 2014-08-15
@BAV_Lug

sreen into your hands.