Record ssh sessions
Record ssh sessions - How to enable it on the bastion host (also called a “ jump server ” )
This feature lets you record ssh sessions of ssh jump servers users accessing servers or amazon instances or other cloud instances via the jump box. This is useful for meeting security compliances like pci dss, hippa, nist , nerc, ffiec etc. To enable ssh recording.
There are 3 settings to record the ssh sessions
- None - This would disable ssh session recording.
- Input - This would record only the STDIN , which would be the keyboard inputs of the ssh jump server user.
- Output - This would record only the STDOUT which would be the outputs on the screen of the jump server user.
- Both - This would record both the STDIN and STDOUT of the ssh session.
The input mode would record the invisible characters typed into the STDIN, hence it would record the password changes of a user that is done using the password command. This would be in violation of security compliances like pci dss, hipaa, nist etc. We would recommend choosing output only to avoid recording the password in order to meet security compliance.
How to view the ssh session recorded?
- Navigate to users->SSH log and select the jump server user and the server to view the recorded session for that server.
- Click on the ’Log type output’ to view the entire ssh session recorded for the user john on the server tesla.eznoc.com. As you can see the entire ssh session is available.
How to view the ssh session recorded in real time or view the currently on going ssh session of jump server users live?Click on enable streaming and choose the interval of 1 second and you will be able to what the jump server user is doing on a server in real time.
How to encrypt ssh session log recorded to meet security compliances?
You can enable ’Encrypt ssh session logs’ under Settings->General->Security so that logs are not human readable. Note that the logs are only readable from the gui and the ssh logs are stored in the /var/log/ezlogin directory.
How to search the ssh session log recorded for strings or keywords?
Enter the string to be searched in the field 'Log Content'. The results show the matching logs and user,username with which the server was accessed and the login and logout times are recorded as well.