Learn how to set up SSH audit logging on a Linux Ubuntu server
An SSH audit log records details about who accessed a server, what was accessed, and when the access occurred. This security-relevant, chronological record documents the sequence of activities impacting a specific operation, procedure, event, or device.
Enabling SSH audit logging, offers you the following benefits:
Satisfy regulatory requirements for data and system access
Help detect and respond to unauthorized or suspicious activities
Facilitates reconstructing events to understand and correct problems that contributed to operational disruptions
Provide insights to improve system performance
Assist with regular system auditing
Enable monitoring staff usage and driving accountability
Since use cases vary widely, be sure to test and customize the configuration settings and audit rules for your specific use case.
Follow these steps to set up SSH audit logging on a Linux Ubuntu server:
At the terminal prompt, configure the SSH server to enable logging.
In /etc/audit/auditd.conf, define the configuration information for the audit daemon.
In /etc/audit/rules.d/audit.rules, define the audit rules for the SSH server.
Restart the SSH service.
Restart the auditd
service.