Tracking Changes with SSH Audit Logging

Audit logging for SSH is important for system safety, and it’s typically an vital a part of compliance rules. Developers and directors ought to solely be granted entry to the assets they want, and a steady monitoring system must be in place to make sure that they aren’t abusing that entry.

In this text, we’ll discover some strategies you should utilize for SSH audit logging, together with creating trackable logs, stopping log manipulation, and utilizing an interactive logging instrument.

Create trackable logs

For audit logging for SSH to be efficient, you may assign every consumer a singular login. This strategy allows you to monitor consumer logins and logouts within the /var/log/auth.log file. You also can change the log degree by setting LogLevel VERBOSE in sshd_config to supply extra detailed info.

Don’t be tempted to create shared credentials like “admin,” which masks the true id of a consumer in your logs.

It’s additionally vital to make sure that customers don’t have privileges to amend auth.log or another log file. No consumer ought to ever have the ability to delete or in any other case manipulate their entry historical past. Typically, solely the syslog consumer can write to auth.log, and solely different members of the adm group can learn it. However, if a consumer has root entry, they will each learn and write to auth.log — and anything on their system.

When you’re outfitted with details about who logged in and when, you may examine that consumer’s .bash_history file to find what instructions they executed throughout their session. There are additionally interactive logging instruments reminiscent of tlog (a part of Red Hat Enterprise Linux) that enables terminal I/O recording with a “playback” performance which can be utilized to see the instructions customers executed within the licensed periods.

If you’re utilizing .bash_history, guarantee to take away write entry to .bash_history to forestall the consumer from eradicating or disguising their exercise.

Prevent log manipulation

A malicious consumer who desires to cover exercise of their bash historical past may use one among a number of strategies. One methodology is to clear the file’s contents, and even take away the file fully, utilizing instructions like:

$ cat /dev/null > ~/.bash_history


To stop this deletion, you may change the file to append-only through the use of the chattr command:

$ chattr +a /house/bad-user/.bash_history

A pleasant facet impact of setting this flag is that it additionally prevents the consumer from linking .bash_history to /dev/null.

To apply this setting to all customers with a single command, execute:

$ discover /house/ -maxdepth 3|grep -i bash_history|whereas learn line; do chattr +a "$line"; carried out

More technically adept customers may attempt to keep away from logging instructions to .bash_history by altering the default values of HISTFILE or HISTFILESIZE to a unique file location and null, respectively. So, you may contemplate marking these settings as read-only in /and many others/bash.bashrc or in /and many others/profile and forestall customers from modifying these configuration recordsdata too.

While you may script all this, it’s a reasonably cumbersome methodology of audit logging for SSH. And, in case you detect malicious exercise, it may be reasonably difficult to piece collectively what befell. You can solely see the instructions the consumer executed and never what occurred on account of these instructions.

Using a purpose-built logging instrument (e.g., Fluentd, Logstash) and databases (e.g., Elasticsearch, Splunk) helps create a tamperproof database of entry logs. For manufacturing use instances, at all times create a centralized log repository maintained in a devoted server. Document-oriented and time sequence databases are finest fitted to storing entry log information.

Alternatively, you may contemplate an entire resolution for managing SSH entry, reminiscent of Teleport. In addition to safe entry administration options, Teleport maintains the audit log of every little thing occurring in SSH entry, together with event-log (login makes an attempt, file transfers, code execution, filesystem adjustments, or community exercise) and session-recording (interactive SSH periods are recorded for future replay).

Every different week we’ll ship a publication with the newest cybersecurity
information and Teleport updates.


Audit logging for SSH is important to conserving your methods safe. This article lined some fundamental auditing strategies and launched extra superior instruments reminiscent of Teleport, which presents a holistic strategy to identity-based server entry. Learn extra as we speak about how one can handle entry and create wealthy audit logs with our SSH Server Access resolution.

*** This is a Security Bloggers Network syndicated weblog from The Teleport Blog authored by The Teleport Blog. Read the unique publish at:

Related Posts