Git Product home page Git Product logo

Comments (2)

speed47 avatar speed47 commented on June 22, 2024

Hello,

You're right, ttyrec files are not synchronized. In our setups, we have between 2 and 8 machines in each bastion cluster, and some of these clusters receive millions of connections per day, so synchronizing all the ttyrec files between all the instances would produce a big overhead and would not be very efficient.

Our workflow is the following:

  • A session is recorded on a bastion instance, it's stored locally as a ttyrec file, as you have seen.
  • After a few days/weeks (configurable, depends on each cluster), the old ttyrec files are compressed and encrypted (to .gpg files), and moved locally to another folder. At that point, the ttyrec file can no longer be accessed by the user with the selfPlaySession command. It can still be decrypted/viewed by somebody with local access to the bastion (and access to the gpg key and password, of course). At the same time, those files are also pushed to a remote escrow filer. This is now possible because the files are encrypted, so there is no security/confidentiality concern getting those out of the bastion.
  • After a few more days/weeks, the local copiess of these compressed-encrypted ttyrec files, that have already been pushed to the escrow filer, are deleted, to ensure we always have room for the fresh ttyrecs that are continually produced.

So, the workflow to check all the ttyrec of an user, for example, is either to have a look at the escrow filer, where we have everything, or, if the time window is recent, check on the bastions directly. We know where to look because every command or access is logged to syslog, and this is pushed to a centralized location, so we can make queries to know exactly what ttyrec files have been produced, and where those are stored.

The script we use to compress/encrypt/rotate/push/delete ttyrec files is bin/cron/osh-encrypt-rsync.pl, with its corresponding configuration found at /etc/bastion/osh-encrypt-rsync.conf.

from the-bastion.

jonathanmarsaud avatar jonathanmarsaud commented on June 22, 2024

Thanks for your answer @speed47, we will design a similar workflow.
And thanks for The Bastion anyway!

from the-bastion.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.