Real-Time Monitoring of Linux Shell Commands: Techniques for Root Users to Track SSH/Terminal Sessions


1 views

As a Linux system administrator, you often need to monitor users' activities for security audits or troubleshooting. The default .bash_history approach has several limitations:

  • Commands are only written at session termination
  • Users can disable history with unset HISTFILE
  • No real-time visibility

The most comprehensive approach uses Linux kernel features:

# Auditd configuration for command monitoring
# /etc/audit/rules.d/commands.rules
-a exit,always -F arch=b64 -S execve -k cmd_monitor
-a exit,always -F arch=b32 -S execve -k cmd_monitor

After adding these rules, restart auditd:

service auditd restart

For SSH sessions, you can use sshd logging combined with pty allocation:

# /etc/ssh/sshd_config
LogLevel VERBOSE
Subsystem sftp /usr/lib/openssh/sftp-server -l INFO

Here's a bash script that logs all commands to a protected directory:

# /etc/profile.d/command_logger.sh
LOGFILE="/var/log/users/commands_$(whoami)_$(date +%Y%m%d).log"
trap 'echo "$(date "+%Y-%m-%d %H:%M:%S") $(whoami) [$$]: $(fc -ln -1)" >> "$LOGFILE"' DEBUG

Combine multiple methods for comprehensive monitoring:

  1. Enable auditd rules
  2. Configure centralized logging
  3. Set up real-time alerts
# Sample alert script
#!/bin/bash
tail -f /var/log/audit/audit.log | grep --line-buffered "cmd_monitor" | \
while read line; do
  echo "$line" | mail -s "Command Alert" admin@example.com
done
  • Inform users about monitoring per company policy
  • Secure log files with proper permissions
  • Consider performance impact on busy systems
  • Implement log rotation to prevent disk filling

As a Linux system administrator, there are legitimate scenarios where you might need to monitor shell commands executed by other users in real-time. This could be for security auditing, troubleshooting, or compliance purposes. While .bash_history provides some visibility, it's not sufficient for real-time monitoring as it only records commands upon session termination.

There are several effective methods to achieve live command monitoring:

1. Using the script Command

You can require users to initiate sessions with the script command:

script -f /var/log/user_commands/$USER.log

This creates a real-time log file that can be monitored by root:

tail -f /var/log/user_commands/john.log

2. Leveraging auditd Framework

The Linux audit subsystem provides comprehensive monitoring capabilities:

# Install auditd if not present
sudo apt install auditd

# Configure to monitor execve system calls
sudo auditctl -a exit,always -F arch=b64 -S execve -k user_commands

View logs with:

ausearch -k user_commands | aureport -x

3. SSH Forced Command Logging

For SSH sessions, you can modify the /etc/ssh/sshd_config:

Match User john
    ForceCommand script -q -c "/bin/bash" /var/log/ssh/john.log

Then restart SSH:

systemctl restart sshd

For more sophisticated monitoring:

Process Monitoring with strace

Attach to a running shell process:

sudo strace -p PID -e trace=execve -s 2000

This will show all commands executed by that process.

Kernel Module Approach

For persistent monitoring, consider a kernel module:

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/sched.h>

static int __init monitor_init(void) {
    printk(KERN_INFO "Command monitoring module loaded\n");
    return 0;
}

static void __exit monitor_exit(void) {
    printk(KERN_INFO "Command monitoring module unloaded\n");
}

module_init(monitor_init);
module_exit(monitor_exit);

Before implementing any monitoring solution:

  • Ensure compliance with company policies and local laws
  • Inform users about monitoring when required
  • Consider privacy implications of command logging
  • Store logs securely with proper access controls

For environments where direct monitoring isn't possible:

# Configure sudo to log all commands
Defaults logfile="/var/log/sudo.log"
Defaults log_input, log_output

This provides comprehensive logging of privileged commands.