Log ssh sessions using open source tools
Philipp Marek
philipp at marek.priv.at
Sun Nov 4 06:31:57 AEDT 2018
Well, one way might be to have strace active on the ssh process. You can only log program executions like this:
strace -f -p <pid of process> -v -e execve -o <logfile>
Though you'll need'l to know the parent/child relationships and user IDs, as well as file descriptors, so there should be fork,clone,open,close,openat,dup,dup2,setuid,seteuid,setreuid and perhaps a few others in the set of traced syscalls.
I guess that a "restricted shell" might be another way; or, if you have cooperation of the users involved, a simple "force-command" involving "script" (1) might work as well.
If you are not sure about users' cooperation, you'll need some protected process - like the strace running as uid 0.
More information about the openssh-unix-dev
mailing list