boundary
boundary copied to clipboard
hashicorp
Recording SSH sessions
Is your feature request related to a problem? Please describe. For enterprises in healthcare and finance it's sometimes a requirement to have the SSH session recorded. Also for ease of use, metadata is just not sufficient.
Describe the solution you'd like Would Boundary support recording SSH sessions so that they can be shared.
Describe alternatives you've considered The current alternative is Gravitational Teleport's Recording
Explain any additional use-cases If there are any use-cases that would help us understand the use/need/value please share them as they can help us decide on acceptance and prioritization.
- Meeting compliance requirements
- Knowledge-sharing with the team
- Better visibility, as you don't have to sift through logs.
Additional context Add any other context or screenshots about the feature request here.
@mickeypash, thanks for the suggestion! Session recording for ssh and other protocols is definitely in our vision for Boundary but we don't yet have a timeline for the delivery of this capability. For now, we have a few big-ticket items for post-launch outlined in our roadmap. That said, for the next set of investments we'll be listening to community feedback (like this post) to see what comes next.
I have added https://github.com/hashicorp/boundary/issues/707 which address using Apache Guacamole to help with this. SSH Session recording is a functionality they offer. So not sure if Boundary or Guacamole should be the right place for adding in this support.
@mickeypash I face the same challenge with recording SSH sessions which I see no point of doing this when you have solutions which you can easily integrate it to give more observability and threat detection.. In our scenario, the video recording was mostly to capture what the user was doing during the ssh session..
So the approach I worked on was simply enable Auditlogs + sudo rules + Sudo Logs and integrate all of that with a SIEM solution of your choice, in our case we setup rules to triggers alerts and was even more productive and easy than going through 4 hours of video on a specific change plus the extra storage we consume keeping those videos..
I would recommend you, specially if you work for a Financial Institution which needs to be PCI-DSS standard compliance, to look for a more effective approach IMHO.
Is your feature request related to a problem? Please describe. For enterprises in healthcare and finance it's sometimes a requirement to have the SSH session recorded. Also for ease of use, metadata is just not sufficient.
Describe the solution you'd like Would Boundary support recording SSH sessions so that they can be shared.
Describe alternatives you've considered The current alternative is Gravitational Teleport's Recording
Explain any additional use-cases If there are any use-cases that would help us understand the use/need/value please share them as they can help us decide on acceptance and prioritization.
- Meeting compliance requirements
- Knowledge-sharing with the team
- Better visibility, as you don't have to sift through logs.
Additional context Add any other context or screenshots about the feature request here.
Something like tlog would be interesting.
I looked this option and fits perfect in my architecture.. I can send the logs to ElasticSearch.. exploit the search capabilities of Elastic.. and whenever I needed "Watch" what the user did which is not included in the sudo logs..
Here is a good example of integration tlog + Elastic
https://www.youtube.com/watch?v=dNnBOUh0V70
@mickeypash I face the same challenge with recording SSH sessions which I see no point of doing this when you have solutions which you can easily integrate it to give more observability and threat detection.. In our scenario, the video recording was mostly to capture what the user was doing during the ssh session..
So the approach I worked on was simply enable Auditlogs + sudo rules + Sudo Logs and integrate all of that with a SIEM solution of your choice, in our case we setup rules to triggers alerts and was even more productive and easy than going through 4 hours of video on a specific change plus the extra storage we consume keeping those videos..
I would recommend you, specially if you work for a Financial Institution which needs to be PCI-DSS standard compliance, to look for a more effective approach IMHO.
Is your feature request related to a problem? Please describe. For enterprises in healthcare and finance it's sometimes a requirement to have the SSH session recorded. Also for ease of use, metadata is just not sufficient. Describe the solution you'd like Would Boundary support recording SSH sessions so that they can be shared. Describe alternatives you've considered The current alternative is Gravitational Teleport's Recording Explain any additional use-cases If there are any use-cases that would help us understand the use/need/value please share them as they can help us decide on acceptance and prioritization.
- Meeting compliance requirements
- Knowledge-sharing with the team
- Better visibility, as you don't have to sift through logs.
Additional context Add any other context or screenshots about the feature request here.
@macgahe : can you share how would you record GUI based session (RDP/X/X11) ?
@am1ru1 as per best security practices we have disabled the X/X11 Forwarding features forcing the users only to execute their actions through the terminal. Hence we do not have this requirement of recording a GUI Based user activity ( in Linux )
in regards RDP I still do not have a Video to Text Solution.. as TLOG offers for Linux servers.. So the intention is to avoid recording user session in a video , but find a way to easily integrated with a
-
Searchable text based solution such as * Splunk * ElasticSearch * Datadog * and more
-
SIEM Integration
We have found that any Video based session recording is difficult to trace the user's activity and integrations with threat Detection solutions...
Hi folks, this is under consideration for future Boundary offerings. We will continue to keep this post open so users can share their interest with the Boundary team by upvoting. Thank you for your feedback!
Also, if folks could please use the "thumbs-up" react, a +1 comment doesn't tend to add anything and causes more churn for engineers looking for further discussion and/or details - thanks for understanding! :)
@brendanfalk please do not use our repos to spam.
Spam? I offered for my company to help solve this issue for the 80+ people that have been waiting almost 2 years for a solution...
Sorry for the offtopic: As far as I understood product that @brendanfalk mentioned before actually has the ability of recording shell sessions.
But unfortunately, as far as I understood, it's completely not what was discussed in this issue. Fig shell recording is client-side (each client should have this terminal emulator and enable recording) and made for sharing purposes. But in this feature request, "server-side" shell recording was discussed. This recording couldn't be switched off by the user (it's applied to any user that ssh's via boundary) and its purpose is the history of user actions for possible security investigations.
So I assume that the product mentioned above is not suitable for a workaround this issue.
So to 100% clarify:
- We exclusively focus on server side session recording
- Nothing needs to be installed client side for our solution to work
- We can be easily set up so users cannot disable us
I don't want to spam this thread either so this will be my last comment. I fully understood the problem being discussed here and we have some really neat tech to solve it (we use pseudoterminals). If you'd like a demo, please let me know!
Today at Hashidays, our team released SSH Session Recording, available for both Enterprise & HCP Boundary. Administrators can now enable session recording on SSH targets in their Boundary environment, store signed recordings in their Amazon S3 storage bucket, and replay recordings back within the Boundary admin UI.
Session Recording has been our number one most requested feature, and we’re grateful for all the feedback folks provided on this issue. You can read more about it on our release blog here.
A number of other features were released as part of 0.13, notably the support for the LDAP as an auth method, support for LDAP managed groups, default client listening ports, and improvements to Dynamic Host Catalogs. As always, we’re excited to gather feedback from the community. Thanks for helping us build Boundary together.
@AdamBouhmad Sounds great!
One problem we have with several HashiCorp products, is that it's hard to pay you.
We don't want to run Boundary or Vault hosted on your servers (HCP), for obvious security reasons.
And for enterprise there is no public pricing (which is always a red flag to me, because we've had issues with "custom enterprise pricing" which is then arbitrarily jacked up 30-50% on annual renewal for no reason other than that we're locked-in).
Also, my guess is that if we'd ask we'd get something unreasonable like "Boundary Enterprise is starting at $10,000", which is more than the total annual software budget of our small firm.
You make great software! But I feel like you're missing an offering in the mid-range, where small firms can just sign up and start paying for access to some advanced features, but still self-host.
@metanovii Their pricing page has "Call us" as the listed price for self-hosted (https://goteleport.com/pricing/).
I've tried calling them -- it's the same problem though, giving them money is hard.
Teleport might be a good alternative to Boundary in some cases. But in this regard, difficulty getting a reasonable and predictable price for self-hosted (that won't be arbitrarily changed year-to-year), I don't think they're any better.
@metanovii Their pricing page has "Call us" as the listed price for self-hosted (https://goteleport.com/pricing/).
I've tried calling them -- it's the same problem though, giving them money is hard.
For what?
https://goteleport.com/docs/faq/#how-is-open-source-different-from-enterprise