How to Record SSH Sessions and Monitor User Activity in Linux with Syteca [Hands-on Guide]

Monitoring user activity on your critical endpoints is a vital part of an effective cybersecurity strategy. Monitoring both remote and local user sessions helps you ensure user accountability, manage cybersecurity risks, enable prompt incident response, and comply with relevant cybersecurity laws and regulations.

This is a step-by-step guide on how to record SSH sessions in Linux and monitor user activity of local and remote users on any endpoint with the Syteca software agent installed. This article is also useful for organizations that want to explore Syteca’s capabilities. Learn how to:

• Monitor, block, and record SSH sessions in Linux, including full SSH session recording with indexed metadata
• Receive alerts about suspicious user activity on Linux endpoints
• Export recorded Linux sessions for investigation purposes
• Generate reports on remote SSH connections to your endpoints

Why monitor SSH sessions?

SSH is a secure way to remotely access critical endpoints and servers. However, unauthorized users can still gain access through vulnerabilities or stolen credentials. By monitoring SSH sessions, you can detect suspicious user activity, such as attempts to access unauthorized files or run malicious commands.

Enhance visibility

By monitoring SSH sessions, you can gain a clear view of remote users’ activity. User activity monitoring software for Linux lets you see who accesses critical systems and what they do, enabling you to detect anomalies and suspicious user behavior in real time. User session recordings also provide you with compelling evidence for incident investigation.

Manage cybersecurity risks

Better visibility can help you detect malicious user activity, such as unauthorized access attempts, data exfiltration, and system sabotage. Software for monitoring Linux SSH sessions allows you to detect cybersecurity threats and take measures to block them before they cause damage.

Meet IT compliance requirements

Many cybersecurity standards, laws, and regulations require organizations to audit access to sensitive systems. Recording SSH sessions and monitoring user activity in Linux provides an audit trail that can show when a critical workstation was accessed, who accessed it, and what activities they performed. When you audit SSH sessions on Linux endpoints, the detailed audit logs can help you prove your organization’s compliance with industry regulations and internal security policies.

Promptly respond to insider threats

By monitoring user activity, your security team can quickly investigate incidents by analyzing logs. This gives them a better understanding of the scope and root cause of a breach, enabling targeted decisions and rapid response. Additionally, certain Linux user activity tracking software solutions can automatically detect and respond to threats before they become a problem.

For a detailed explanation of risks posed by remote users, refer to our articles on managing insider risks in hybrid and remote work environments.

Using Syteca to monitor remote SSH sessions and local Linux sessions

Syteca is a modern privileged access management (PAM) platform with built-in identity threat detection and response (ITDR) capabilities that can help you protect access and then provide visibility into how it is used. Syteca brings privileged access management to Linux environments alongside Windows, macOS, and UNIX.

Syteca enables you to monitor and record remote SSH sessions and user activity on local Linux endpoints, providing you with indexed recordings and the following searchable metadata:

• Session details, such as hostname, user name, IP address, and session duration
• User actions, such as keystroke input, including parameters specified and commands executed
• Commands carried out in executed scripts
• System function calls
• System responses from the terminal, such as command outputs

In addition to user activity tracking, Syteca provides the following capabilities to ensure a holistic approach to managing cybersecurity risks:

Syteca is flexible, providing a variety of deployment options and supporting the following platforms:

Let’s see how to record local Linux sessions and monitor remote SSH sessions with Syteca.

Note: Further instructions will only work for IT environments that have deployed Syteca.

Monitoring, viewing, and blocking SSH sessions

By default, Syteca monitors user activity on all endpoints that have had the Syteca software agent installed. Whether a user initiates a Linux session remotely via SSH/telnet or logs in locally, Syteca records all user actions performed on the monitored workstation. This makes it straightforward to record SSH sessions on Linux endpoints without native Linux tools or complex configuration.

All sessions in Syteca are displayed on the Activity Monitoring page, in the Endpoint Sessions tab. Let’s suppose that a user starts an SSH session. Here’s how to check user activity logs in Linux:

First, filter the sessions by the operating system. Click the More Criteria button and select Operating System in the drop-down list.

Then click the Operating System button on the left and select your Linux OS.

You can then search for a session by specific commands. For example, let’s find Linux sessions in which some files were deleted.

Just type in the corresponding command in the search box on the right and press Enter. You can also search within sessions by other user actions, such as typed keystrokes.

Once you’ve found the session you need, double-click it to open it.

In the Session Player, you can view the screen recording and metadata from the beginning of the session.

You can configure the video player to display only executed commands and search for a command in a specific session or the entire database. To do this, choose your settings in the dropdown menu by clicking the Search button.

If a session is still in progress, you can view what the user is doing in real time by clicking the Live button. The Block User button in the upper right allows you to block the user manually if they pose a threat.

Configuring alerts on suspicious user activity

For critical endpoints, you can configure the alerting system to get instant notifications whenever suspicious user activity occurs. To set this up, open the Alerts page.

As an example, we’ll set up an alert for detecting a user attempting to obtain root privileges on Linux. This is one of the pre-defined alerts available in Syteca.

You can search for an alert by inputting its name in the search box. Once you find an alert, click on the Edit icon to configure it.

The alert rules are already predefined, so you only need to assign the endpoint and specify the additional actions that will be performed if the alert is triggered.

In the Assigned Endpoints section, click Add and then select the endpoints for which you want to enable the alert.

In the Actions section, specify who will be notified via email if the alert is triggered.

You can also decide which response action Syteca will automatically take when an alert is triggered. Possible response actions include:

• Display a warning message to a user
• Block the user
• Kill a process

Once you’ve configured the alert, click Finish.

The person you’ve designated will now receive an email if a user on the specified endpoint attempts to obtain root privileges..

With Syteca, you can create your own custom alerts or enable predefined ones. You can choose to receive alerts when users try to upload files to the cloud, install an application, type a specific word, and more.

To view the list of all triggered alert events, open the Alerts tab on the Activity Monitoring page. You can open a suspicious session by clicking the Play button — session playback starts at a selected alert event.

Exporting a recorded session for forensic investigation

With Syteca, you can export an entire user session or just a part of it for use as evidence during forensic investigations. Exported SSH session recordings can be viewed on any computer, even without access to Syteca’s interface. The exported file is encrypted and protected from modification.

To export a session, open it and click the More icon in the Session Player. Then select Forensic Export from the drop-down list.

In the pop-up window that appears, define your preferred settings and click Export.

Once the export finishes, you can download the resulting file on the Forensic Export History tab on the Activity Monitoring page.

Note: You will need to download the SytecaForensic Player to view the exported session.

Discovering unmanaged accounts on Linux endpoints

You can further enhance visibility and minimize security gaps by discovering and onboarding unmanaged or abandoned accounts in your Linux environment.

To discover Linux accounts, first configure SSH connections for Linux scanning. 

Once configured, open the Account Discovery page and select the Rules tab to display a list of all existing rules in the grid. Click the Add button in the top right to add a new rule.

In the Add Discovery Rule window that pops up, enter the name of the account discovery rule, and select Linux Discovery in the Type option.

Then, specify the IP addresses to be scanned by entering one of the following:

• The range of IP addresses separated by a hyphen (e.g., “10.100.10.10-10.100.10.40”)
• A list of IP addresses separated by semicolons (e.g., “10.100.10.10; 10.100.10.20; 10.100.10.30”).

For the Account Type option, select whether you want to scan all accounts (i.e., privileged, service, and application accounts) or only privileged accounts (i.e., manually created non-daemon accounts and the “root” account).

Select the Public SSH keys checkbox to also allow scanning for accounts with public SSH keys on your Linux computers.

Next to the Select account to use for scans option, select the Password Management account secret(s) to be used to run network scans under, for which the user has the Owner or Editor Role type permissions.

If you want to run network scans automatically according to a schedule, enable the Scheduled Discovery toggle and select your preferred time frames.

In the Actions section, optionally select the users or user groups to be notified by email about newly discovered accounts. Note that the corresponding users must have an email address specified in their user account (i.e., when editing or adding a user on the Users page).

Then click the Save button to add the new account discovery rule.

The newly created rule will be displayed in the grid on the Rules tab. To run your created account discovery rule manually at any time (it doesn’t matter whether scheduled discovery is enabled or not), click the Start icon next to it on the right.

Generating reports on remote SSH connections to your endpoints

Syteca can regularly notify you about remote connections to your Linux endpoint in a summary report generated ad hoc or emailed to you according to a schedule.

To generate a report, open the Reports page and select the Session Grid report in the Report Type drop-down list. In the Date Filters section, select the period you want the data to be displayed for.

Descriptions and samples of the reports are located in the right part of the interface.

In the Endpoints section, click Add and select the Linux endpoints you want to generate a report for. You can do this by inserting the names of endpoints in the search box.

Define the report options and click the Generate Report button. Your report will be available to download on the Generated Reports tab of the Reports page.

You can also receive regularly scheduled reports by opening the Scheduled Report tab and clicking Add.

On the Add Rule page that opens, select Enable scheduled report generation, enter a name for the rule, and click Next.

Then set the report parameters and enter the email address to which the report will be sent. Click Finish.

Syteca will automatically create the report and send it to your email address per the defined frequency.

Ensuring visibility into Linux environments

Monitoring user activity and recording SSH sessions in Linux can help your organization improve visibility throughout your IT infrastructure, promptly detect and respond to security threats, and meet specific IT compliance requirements. By recording user sessions, you can hold users accountable for their actions and provide forensic investigators with context-rich evidence of security incidents if they occur.

By leveraging Syteca’s user activity monitoring, privileged access management, and incident response capabilities, you can significantly boost your CISO’s identity risk management efforts and enhance overall organizational cybersecurity.