Documentation and Guides

Enable SSH audit logging

Learn how to set up SSH audit logging on a Linux Ubuntu server

An SSH audit log records details about who accessed a server, what was accessed, and when the access occurred. This security-relevant, chronological record documents the sequence of activities impacting a specific operation, procedure, event, or device.

Enabling SSH audit logging, offers you the following benefits:

  • Satisfy regulatory requirements for data and system access

  • Help detect and respond to unauthorized or suspicious activities

  • Facilitates reconstructing events to understand and correct problems that contributed to operational disruptions

  • Provide insights to improve system performance

  • Assist with regular system auditing

  • Enable monitoring staff usage and driving accountability

Set up SSH audit logging

Since use cases vary widely, be sure to test and customize the configuration settings and audit rules for your specific use case.

Follow these steps to set up SSH audit logging on a Linux Ubuntu server:

  1. At the terminal prompt, configure the SSH server to enable logging.

    sudo nano /etc/ssh/sshd_config  
LogLevel VERBOSE  
SyslogFacility AUTHPRIV

  2. Install the auditd package.

    sudo apt update && sudo apt install auditd

    \

  3. In /etc/audit/auditd.conf, define the configuration information for the audit daemon.

    sudo nano /etc/audit/auditd.conf  
auditd -l -f /var/log/audit/audit.log  
max_log_file = 50  
max_log_file_action = keep_logs

  4. In /etc/audit/rules.d/audit.rules, define the audit rules for the SSH server.

    sudo nano /etc/audit/rules.d/audit.rules  
-w /var/run/sshd -p wa -k sshd  
-a exit,always -F arch=b64 -F euid=0 -S session  
-a exit,always -F arch=b64 -F euid=0 -S execve -k ssh_commands

  5. Restart the SSH service.

    sudo systemctl restart ssh.service

  6. Restart the auditd service.

    sudo systemctl restart audit.service

Last updated