Open patdowney opened 1 year ago
For ref - I think gravitational/teleport implements a similar capability - https://github.com/gravitational/teleport/issues/13785
@patdowney - Session Manager worker logs are intended for troubleshooting purpose, not for auditing purpose. Please see the documentation page.
You may use CloudTrail to identify which IAM identity started which session, and the session ids in CloudTrail events match the session worker ids when the sessions are still connected. The session worker threads are terminated when the session is terminated. However, please bear in mind that CloudTrail gives you the auditability of the caller of StartSession, instead of what OS operations are performed on the host.
Hope this clarifies!
Hi folks, I've got a query about trying to tie together the SSM session logs and linux auditd sessions/events.
I had hoped that, from taking a look at the process tree, if I am able to record invocations of
/usr/bin/ssm-session-worker
then I would be able to get a correlation between the SSM session identifier and an auditd session, and use that to be able to match auditd session to a particular ssm session, even if multiple AWS principals are logged in at the same time. Unfortunately it doesn't work that way, and to my knowledge I can't tell auditd to monitor a process and all it's children.It looks as though the session identifier that is logged against all these commands (both
ssm-session-worker
and all it's children) isses=4294967295
, which along withauid=4294967295
is not much good to me. From what I can see is4294967295
is effectively-1
orunset
, and matches many system processes. And because theauid
andses
are useless, tracking sessions acrosssudo
invocations is almost impossible. I've shown an example below:For the following I used these auditd rules:
This is the process tree showing two distinct ssm sessions
These are the sys calls logged
You'll note that in all of them, the non-
sudo
calls share the sameauid
andses
even though they're in different SSM sessions (the calls undersudo
get issues 'proper'auid
andses
values, but no way to map them to SSM). And because I'm not logging allexecve
sys calls, I can't even useppid
topid
mapping to associate the commands run undersudo
to their parent processes (which would also be a pain to analyse).What I'd love would be better integration between the SSM agent and the linux auditing subsystem. But I'd also love to understand if I'm doing it wrong (e.g. are there some PAM settings I should be using) and how other people are correlating sessions, or is everyone satisfied with the current SSM session manager logging even though it's nowhere near as rich?