// the find
open-ch/log-user-session
SSH session auditing
A C daemon that hooks into sshd to record full shell session transcripts for auditing. It writes logs that unprivileged users can't modify or delete, making it useful for compliance environments where you need proof of what someone typed. Narrow scope, does one thing.
Tamper-resistance is achieved by running as a privileged process and writing to a directory that session users can't touch — simple and effective. Pure C with autoconf means it'll build on almost any Linux system without dependency hell. Single-file source (log-user-session.c) makes auditing the auditor itself straightforward. Integrates at the sshd ForceCommand level, so it catches sessions regardless of what shell the user has.
Last commit was November 2022 — not archived, but not actively maintained either. Linux-only with no stated interest in BSDs or other platforms where sshd is common. No structured log output (JSON, syslog fields) means parsing transcripts for SIEM ingestion is your problem. With 81 stars and no recent activity, you're essentially adopting this solo if something breaks.