[SATLUG] How to monitor SSH session?

[Channing]

Sean Carolan wrote:
>> > > I was going to say that if you just want to see the commands and 
>> not the
>> > > output you could do a tail -f on .bash_history, but it seems that it
>> > > doesn't
>> > > update the file in real time, but only after they log out.
>
> We have reached a reasonable solution - the user gets sudo access so
> that any commands run as root will be logged to /var/log/secure.  The
> normal .bash_history can be reviewed after they log out.  I don't
> really *need* to see every command as it's typed, just was wondering
> if there was an easy way to do it.
Sean,

You are on the right track with the sudo logging.  Now if you were to
add http://www.ossec.net , a Host based IDS, and just add a monitor that
sent you messages when new entries are matched (i.e. -
<regex>^sudo:.+</regex> ) you'd have your real time information.

HTH,
Channing

-- 
A: Yes.
> Q: Are you sure?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting annoying in email?