[noja]

> It's so important to know what your admins are executing on your machines...

Micromanagement at its finest!

> it's just good to know what sort of general administration is being done.

Your change management process will give you an overview of what your admins are doing.

[tinco]

Eh, the sysadmins would be monitoring eachother. I'm not saying they should have a manager that keeps their commands in check.

And yes a change management process is very nice and all, and I suppose that at Amazon no line is entered into a root sshd shell without each character being vetted thrice, but at your regular shop you can bet that there's loads of admins that type "ps aux" three times before getting it right. Not that that's terrible, but if you want to look at system administration as an engineering problem you have to know what's going on.

[_yy]

Incident response. When one of your admin accounts is compromised, you'd want to know what the attacker executed.

[ultramancool]

Yes you would - but why just SSH? Wouldn't auditd execve syscall logs sent to a logstash server be better? It'd handle compromises other than SSH too.

[_yy]

Yes - though there's more to a SSH session than executing commands (interacting with interactive editors, port forwarding, etc.)

[Diederich]

Could be used for micromanagement. But its required in some environments by some common regulations.

[e28eta]

There's a github talk about using Hubot to do sysadmin. One of the advantages of having everything happening in a public forum is teaching.