Deploy a Session Recording Solution Using Ansible and Audit Your Bastion Host
Learn how to record SSH sessions on a Red Hat Enterprise Linux VSI using in-built packages. The RHEL packages are installed using Ansible automation.
Join the DZone community and get the full member experience.
Join For FreeLearn how to record SSH sessions on a Red Hat Enterprise Linux VSI in a Private VPC network using in-built packages. The VPC private network is provisioned through Terraform and the RHEL packages are installed using Ansible automation.
What Is Session Recording and Why Is It Required?
As noted in "Securely record SSH sessions on RHEL in a private VPC network," a Bastion host and a jump server are both security mechanisms used in network and server environments to control and enhance security when connecting to remote systems. They serve similar purposes but have some differences in their implementation and use cases. The Bastion host is placed in front of the private network to take SSH requests from public traffic and pass the request to the downstream machine. Bastion hosts and jump servers are vulnerable to intrusion as they are exposed to public traffic.
Session recording helps an administrator of a system to audit user SSH sessions and comply with regulatory requirements. In the event of a security breach, you as an administrator would like to audit and analyze the user sessions. This is critical for a security-sensitive system.
Before deploying the session recording solution, you need to provision a private VPC network following the instructions in the article, "Architecting a Completely Private VPC Network and Automating the Deployment." Alternatively, if you are planning to use your own VPC infrastructure, you need to attach a floating IP to the virtual server instance and a public gateway to each of the subnets. Additionally, you need to allow network traffic from public internet access.
Deploy Session Recording Using Ansible
To be able to deploy the Session Recording solution you need to have the following packages installed on the RHEL VSI:
- tlog
- SSSD
- cockpit-session-recording
The packages will be installed through Ansible automation on all the VSIs both bastion hosts and RHEL VSI.
If you haven't done so yet, clone the GitHub repository and move to the Ansible folder.
git clone https://github.com/VidyasagarMSC/private-vpc-network
cd ansible
Create
hosts.ini
from the template file.
cp hosts_template.ini hosts.ini
Update the hosts.ini
entries as per your VPC IP addresses.
[bastions]
10.10.0.13
10.10.65.13
[servers]
10.10.128.13
[bastions:vars]
ansible_port=22
ansible_user=root
ansible_ssh_private_key_file=/Users/vmac/.ssh/ssh_vpc
packages="['tlog','cockpit-session-recording','systemd-journal-remote']"
[servers:vars]
ansible_port=22
ansible_user=root
ansible_ssh_private_key_file=/Users/vmac/.ssh/ssh_vpc
ansible_ssh_common_args='-J root@10.10.0.13'
packages="['tlog','cockpit-session-recording','systemd-journal-remote']"
Run the Ansible playbook to install the packages from an IBM Cloud private mirror/repository.
ansible-playbook main_playbook.yml -i hosts.ini --flush-cache
Running Ansible playbooks
You can see in the image that after you SSH into the RHEL machine now, you will see a note saying that the current session is being recorded.
Check the Session Recordings, Logs, and Reports
If you closely observe the messages post SSH, you will see a URL to the web console that can be accessed using the machine name or private IP over port 9090. To allow traffic on port 9090, in the Terraform code, Change the value of the allow_port_9090
variable to true
and run terraform apply
. The latest terraform apply
will add ACL and security group rules to allow traffic on port 9090.
Now, open a browser and navigate to
http://10.10.128.13:9090
. To access using the VSI name, you need to set up a private DNS (out of scope for this article). You need a root password to access the web console.RHEL web console
Navigate to session recording to see the list of session recordings. Along with session recordings, you can check the logs, diagnostic reports, etc.
Session recording on the Web console
Recommended Reading
Opinions expressed by DZone contributors are their own.
Comments