[j-nsp] Logging for shell sessions

Saku Ytti saku at ytti.fi
Sat Jul 6 09:01:57 EDT 2024


I don't believe there is any supported way to do this, an unsupported
way, probably, but also probably an educated operator could circumvent
it anyhow.

You probably shouldn't allow untrusted users to access the shell.

On Sat, 6 Jul 2024 at 09:26, Phil Mawson via juniper-nsp
<juniper-nsp at puck.nether.net> wrote:
>
> Hi,
>
> Once a user enters the unix shell on a Juniper router/switch (Ie: start shell), it appears all standard logging of the commands typed is not captured by syslog and obviously not sent to AAA for authorisation.
>
> Is there a way to capture all commands users type and send to an external logging source?  Looking through Juniper doc doesn’t have much info on this.  I’d expect we’d need something running at the kernel level on BSD.
>
> Understand the commands are logged in the bash history file, but ideally need this to go off the router for audit purposes in real time.
>
> Cheers,
> Phil.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



-- 
  ++ytti


More information about the juniper-nsp mailing list