Comments (2)
Hello,
You're right, ttyrec files are not synchronized. In our setups, we have between 2 and 8 machines in each bastion cluster, and some of these clusters receive millions of connections per day, so synchronizing all the ttyrec files between all the instances would produce a big overhead and would not be very efficient.
Our workflow is the following:
- A session is recorded on a bastion instance, it's stored locally as a ttyrec file, as you have seen.
- After a few days/weeks (configurable, depends on each cluster), the old ttyrec files are compressed and encrypted (to
.gpg
files), and moved locally to another folder. At that point, the ttyrec file can no longer be accessed by the user with theselfPlaySession
command. It can still be decrypted/viewed by somebody with local access to the bastion (and access to the gpg key and password, of course). At the same time, those files are also pushed to a remote escrow filer. This is now possible because the files are encrypted, so there is no security/confidentiality concern getting those out of the bastion. - After a few more days/weeks, the local copiess of these compressed-encrypted ttyrec files, that have already been pushed to the escrow filer, are deleted, to ensure we always have room for the fresh ttyrecs that are continually produced.
So, the workflow to check all the ttyrec of an user, for example, is either to have a look at the escrow filer, where we have everything, or, if the time window is recent, check on the bastions directly. We know where to look because every command or access is logged to syslog, and this is pushed to a centralized location, so we can make queries to know exactly what ttyrec files have been produced, and where those are stored.
The script we use to compress/encrypt/rotate/push/delete ttyrec files is bin/cron/osh-encrypt-rsync.pl
, with its corresponding configuration found at /etc/bastion/osh-encrypt-rsync.conf
.
from the-bastion.
Thanks for your answer @speed47, we will design a similar workflow.
And thanks for The Bastion anyway!
from the-bastion.
Related Issues (20)
- Restoration backup procedure documentation HOT 11
- Issue with Ansible HOT 1
- can we use AD users ? (question) HOT 12
- Add support for PuTTy HOT 3
- Invalid account suffix results on partial account setup HOT 1
- Bulk operations on restricted "account*" plugins? HOT 1
- accountAddPersonalAccess pub key not added to remote server ? HOT 2
- Unable to "logout" to have your new rights applied HOT 11
- Deleted account name and uid blocked HOT 8
- How to manage K8S behind bastion HOT 1
- Unable to encrypt /home before the installation HOT 12
- List all account egress keys? HOT 1
- Undefined subroutine &main::EXIT HOT 1
- connect to remote host with vscode ssh extension HOT 8
- UIDs/GIDs helper script for pre-backup-restore and HA-pre-sync HOT 1
- Connect through Bastion using SSH config file HOT 4
- vim seems to crash session replay HOT 9
- Enforce connecting with user login8 on group access server HOT 2
- Take global `ssh_config` file into account and autocomplete host names HOT 2
- Connection to the Bastion takes many seconds HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from the-bastion.