Trying out server-side SSH session logging using sudoers config
How do we get from "logging sudoers activity" to "SSH session logging?"
TL;DR: chsh the user to 'sudosh' and allow them only to su to themselves, now you have SSH session recording using the sudoers logging facilities: https://unix.stackexchange.com/a/3512...
(backup: https://0bin.net/paste/+9AJA4yC#hznNj... )
========
$ man sudoers
see I/O LOGGING (`/I/O LOG`), see also EVENT LOGGING
(Hint: while viewing the manpage, type /^\w and press Enter; use n/N to jump forward and backward through the headers)
========
in sudoers file (`visudo`) added LOG_INPUT and LOG_OUTPUT thus:
Old:
%wheel ALL=(ALL:ALL) NOPASSWD: ALL
New:
%wheel ALL=(ALL:ALL) NOPASSWD: LOG_INPUT: LOG_OUTPUT: ALL
========
Logs are in /var/log/sudo-io/ by default (/var/log/sudo-io/00/00/??)
========
$ man sudoreplay
========
But how do you stop sudoers from tampering with the logs? Log elsewhere of course:
`
I/O can be logged either to the local machine or to a remote log server. For local logs, I/O is logged to the directory specified by the iolog_dir
option (/var/log/sudo-io by default) using a unique session ID that is included in the sudo log line, prefixed with ‘TSID=’. The iolog_file option
may be used to control the format of the session ID. For remote logs, the log_servers setting is used to specify one or more log servers running
sudo_logsrvd or another server that implements the protocol described by sudo_logsrv.proto(5).
`
-- sudoers(5)