What's the easiest way to track exact time of a user ssh to another system env - centos/rhel I have two systems. Bastion and DEV. * * * Bastion - * Bastion has many individual users. (`apple`, `orange`... etc) ...--prophetes.ai

What's the easiest way to track exact time of a user ssh to another system env - centos/rhel I have two systems. Bastion and DEV. * * * Bastion - * Bastion has many individual users. (`apple`, `orange`... etc) * Users can directly ssh to Bastion. DEV - * DEV has only one user. (`fruit`) * Only Bastion users can ssh to DEV from Bastion. Ultimately, I want to trace "who did what and when" On DEV side, I can see someone logged in as `fruit` in /var/etc/secure and /var/etc/audit/audit.log, but not "by whom". * * * My question : How do I collect the time when `apple` connected to DEV as `fruit` and what he did?

A very simple method would be to disable password logins and use key-based logins only.

That way you have the key named in `auth.log` and may simply match it to a user (e.g add the user name in the "comment" field of the `authorized_keys` file). With the login, you get a process ID that is also shown the at logout event.

$cat /var/log/auth.log
Jun 21 14:42:11 DEV sshd[26510]: Accepted publickey for apple from 1234:5678:90ab:cdef:1234:5678:90ab:cdef port 58888 ssh2: RSA SHA256:abcdefghIJKLMNOPQ/1234567890
Jun 21 14:47:57 DEV sshd[26510]: pam_unix(sshd:session): session closed for user apple

$cat /home/fruit/.ssh/authorized_keys
ssh-rsa abcdefghIJKLMNOPQ/1234567890 apple@bastion

The rest of the monitoring is then a matter of setting up `audit`.