Console logging?

[chines]

Hello,

First, I'd like to say that I've been using log-user-session on hundreds of machines for 5+ years and it's been great. For the majority of this time, the hosts were either physical or VMs and as part of security compliance, local console login was disabled and rarely if ever needed.

Now, many machines have been migrated to AWS EC2's and for some reason or another, the need to use the local EC2 serial console to troubleshoot has come up more often than I care to admit. Is there any way that log-user-session can be used to log sessions other than just ssh? Ideally, any shell that gets opened would get logged (local console, serial console) so that we can be honest when telling auditors that all commands and output is logged.

Thanks for any help and guidance that may be provided; log-user-session is great and I'm hoping there's some way to configure or enhance it to handle this additional scenario.

[kbucheli]

Hi
I do not have console logging enables anywhere, so I cannot give any finished receipts.
But similar as with sshd, I would go along the line of how a shell is started and try to find a suitable spot to put it in between.
There is probably something like agetty picking up the user from the console. There you might set an alternative login program which first starts log-user-session and only then the real login process. Or the login process does run log-user-session instead of the login shell, as done in the ForcedCommand of sshd.conf.
Maybe with systemd all is a bit different. The art is to find a suitable spot to slice that in.