Enable SSH audit logging
Learn how to set up SSH audit logging on a Linux Ubuntu server
An SSH audit log records details about who accessed a server, what was accessed, and when the access occurred. This security-relevant, chronological record documents the sequence of activities impacting a specific operation, procedure, event, or device.
Enabling SSH audit logging, offers you the following benefits:
Satisfy regulatory requirements for data and system access
Help detect and respond to unauthorized or suspicious activities
Facilitates reconstructing events to understand and correct problems that contributed to operational disruptions
Provide insights to improve system performance
Assist with regular system auditing
Enable monitoring staff usage and driving accountability
Set up SSH audit logging
Since use cases vary widely, be sure to test and customize the configuration settings and audit rules for your specific use case.
Follow these steps to set up SSH audit logging on a Linux Ubuntu server:
At the terminal prompt, configure the SSH server to enable logging.
sudo nano /etc/ssh/sshd_config LogLevel VERBOSE SyslogFacility AUTHPRIV
In /etc/audit/auditd.conf, define the configuration information for the audit daemon.
sudo nano /etc/audit/auditd.conf auditd -l -f /var/log/audit/audit.log max_log_file = 50 max_log_file_action = keep_logs
In /etc/audit/rules.d/audit.rules, define the audit rules for the SSH server.
sudo nano /etc/audit/rules.d/audit.rules -w /var/run/sshd -p wa -k sshd -a exit,always -F arch=b64 -F euid=0 -S session -a exit,always -F arch=b64 -F euid=0 -S execve -k ssh_commands
Restart the SSH service.
sudo systemctl restart ssh.service
Restart the
auditd
service.sudo systemctl restart audit.service
Last updated
Was this helpful?