Recording SSH sessions

[mickeypash]

Is your feature request related to a problem? Please describe. For enterprises in healthcare and finance it's sometimes a requirement to have the SSH session recorded. Also for ease of use, metadata is just not sufficient.

Describe the solution you'd like Would Boundary support recording SSH sessions so that they can be shared.

Describe alternatives you've considered The current alternative is Gravitational Teleport's Recording

Explain any additional use-cases If there are any use-cases that would help us understand the use/need/value please share them as they can help us decide on acceptance and prioritization.

• Meeting compliance requirements
• Knowledge-sharing with the team
• Better visibility, as you don't have to sift through logs.

Additional context Add any other context or screenshots about the feature request here.

[covetocove]

@mickeypash, thanks for the suggestion! Session recording for ssh and other protocols is definitely in our vision for Boundary but we don't yet have a timeline for the delivery of this capability. For now, we have a few big-ticket items for post-launch outlined in our roadmap. That said, for the next set of investments we'll be listening to community feedback (like this post) to see what comes next.

[darkedges]

I have added https://github.com/hashicorp/boundary/issues/707 which address using Apache Guacamole to help with this. SSH Session recording is a functionality they offer. So not sure if Boundary or Guacamole should be the right place for adding in this support.

[anoncam]

Something like tlog would be interesting.

[macgahe]

@mickeypash I face the same challenge with recording SSH sessions which I see no point of doing this when you have solutions which you can easily integrate it to give more observability and threat detection.. In our scenario, the video recording was mostly to capture what the user was doing during the ssh session..

So the approach I worked on was simply enable Auditlogs + sudo rules + Sudo Logs and integrate all of that with a SIEM solution of your choice, in our case we setup rules to triggers alerts and was even more productive and easy than going through 4 hours of video on a specific change plus the extra storage we consume keeping those videos..

I would recommend you, specially if you work for a Financial Institution which needs to be PCI-DSS standard compliance, to look for a more effective approach IMHO.

Is your feature request related to a problem? Please describe. For enterprises in healthcare and finance it's sometimes a requirement to have the SSH session recorded. Also for ease of use, metadata is just not sufficient.

Describe the solution you'd like Would Boundary support recording SSH sessions so that they can be shared.

Describe alternatives you've considered The current alternative is Gravitational Teleport's Recording

Explain any additional use-cases If there are any use-cases that would help us understand the use/need/value please share them as they can help us decide on acceptance and prioritization.

• Meeting compliance requirements
• Knowledge-sharing with the team
• Better visibility, as you don't have to sift through logs.

Additional context Add any other context or screenshots about the feature request here.

[macgahe]

Something like tlog would be interesting.

I looked this option and fits perfect in my architecture.. I can send the logs to ElasticSearch.. exploit the search capabilities of Elastic.. and whenever I needed "Watch" what the user did which is not included in the sudo logs..

Here is a good example of integration tlog + Elastic

https://www.youtube.com/watch?v=dNnBOUh0V70

[angelbarrera92]

Interested here too

[chris93111]

+1

[macgahe]

+1

[miroslav-chandler]

+1

[metanovii]

+1

[liubo20210831]

+1

[am1ru1]

@mickeypash I face the same challenge with recording SSH sessions which I see no point of doing this when you have solutions which you can easily integrate it to give more observability and threat detection.. In our scenario, the video recording was mostly to capture what the user was doing during the ssh session..

So the approach I worked on was simply enable Auditlogs + sudo rules + Sudo Logs and integrate all of that with a SIEM solution of your choice, in our case we setup rules to triggers alerts and was even more productive and easy than going through 4 hours of video on a specific change plus the extra storage we consume keeping those videos..

I would recommend you, specially if you work for a Financial Institution which needs to be PCI-DSS standard compliance, to look for a more effective approach IMHO.

Is your feature request related to a problem? Please describe. For enterprises in healthcare and finance it's sometimes a requirement to have the SSH session recorded. Also for ease of use, metadata is just not sufficient. Describe the solution you'd like Would Boundary support recording SSH sessions so that they can be shared. Describe alternatives you've considered The current alternative is Gravitational Teleport's Recording Explain any additional use-cases If there are any use-cases that would help us understand the use/need/value please share them as they can help us decide on acceptance and prioritization.

• Meeting compliance requirements
• Knowledge-sharing with the team
• Better visibility, as you don't have to sift through logs.

Additional context Add any other context or screenshots about the feature request here.

@macgahe : can you share how would you record GUI based session (RDP/X/X11) ?

[macgahe]

@am1ru1 as per best security practices we have disabled the X/X11 Forwarding features forcing the users only to execute their actions through the terminal. Hence we do not have this requirement of recording a GUI Based user activity ( in Linux )

in regards RDP I still do not have a Video to Text Solution.. as TLOG offers for Linux servers.. So the intention is to avoid recording user session in a video , but find a way to easily integrated with a

• Searchable text based solution such as

  • Splunk
  • ElasticSearch
  • Datadog
  • and more
  • SIEM Integration

We have found that any Video based session recording is difficult to trace the user's activity and integrations with threat Detection solutions...

[Anton-Sagurov]

+1

[victorhooi]

Is SSH session auditing/logging still on the Roadmap for Boundary?

[evrardjp]

+1

[covetocove]

Hi folks, this is under consideration for future Boundary offerings. We will continue to keep this post open so users can share their interest with the Boundary team by upvoting. Thank you for your feedback!

[thierryturpin]

+1

[d-helios]

+1

[likarum]

+1

[heatherezell]

@brendanfalk please do not use our repos to spam.

[heatherezell]

Also, if folks could please use the "thumbs-up" react, a +1 comment doesn't tend to add anything and causes more churn for engineers looking for further discussion and/or details - thanks for understanding! :)

[brendanfalk]

@brendanfalk please do not use our repos to spam.

Spam? I offered for my company to help solve this issue for the 80+ people that have been waiting almost 2 years for a solution...

[dm3ch]

Sorry for the offtopic: As far as I understood product that @brendanfalk mentioned before actually has the ability of recording shell sessions.

But unfortunately, as far as I understood, it's completely not what was discussed in this issue. Fig shell recording is client-side (each client should have this terminal emulator and enable recording) and made for sharing purposes. But in this feature request, "server-side" shell recording was discussed. This recording couldn't be switched off by the user (it's applied to any user that ssh's via boundary) and its purpose is the history of user actions for possible security investigations.

So I assume that the product mentioned above is not suitable for a workaround this issue.

[brendanfalk]

So to 100% clarify:

1. We exclusively focus on server side session recording
2. Nothing needs to be installed client side for our solution to work
3. We can be easily set up so users cannot disable us

I don't want to spam this thread either so this will be my last comment. I fully understood the problem being discussed here and we have some really neat tech to solve it (we use pseudoterminals). If you'd like a demo, please let me know!

[AdamBouhmad]

Today at Hashidays, our team released SSH Session Recording, available for both Enterprise & HCP Boundary. Administrators can now enable session recording on SSH targets in their Boundary environment, store signed recordings in their Amazon S3 storage bucket, and replay recordings back within the Boundary admin UI.

Session Recording has been our number one most requested feature, and we’re grateful for all the feedback folks provided on this issue. You can read more about it on our release blog here.

A number of other features were released as part of 0.13, notably the support for the LDAP as an auth method, support for LDAP managed groups, default client listening ports, and improvements to Dynamic Host Catalogs. As always, we’re excited to gather feedback from the community. Thanks for helping us build Boundary together.

[sandstrom]

@AdamBouhmad Sounds great!

One problem we have with several HashiCorp products, is that it's hard to pay you.

We don't want to run Boundary or Vault hosted on your servers (HCP), for obvious security reasons.

And for enterprise there is no public pricing (which is always a red flag to me, because we've had issues with "custom enterprise pricing" which is then arbitrarily jacked up 30-50% on annual renewal for no reason other than that we're locked-in).

Also, my guess is that if we'd ask we'd get something unreasonable like "Boundary Enterprise is starting at $10,000", which is more than the total annual software budget of our small firm.

You make great software! But I feel like you're missing an offering in the mid-range, where small firms can just sign up and start paying for access to some advanced features, but still self-host.

[metanovii]

in teleport this feature is free =)

[sandstrom]

@metanovii Their pricing page has "Call us" as the listed price for self-hosted (https://goteleport.com/pricing/).

I've tried calling them -- it's the same problem though, giving them money is hard.

Teleport might be a good alternative to Boundary in some cases. But in this regard, difficulty getting a reasonable and predictable price for self-hosted (that won't be arbitrarily changed year-to-year), I don't think they're any better.

[metanovii]

@metanovii Their pricing page has "Call us" as the listed price for self-hosted (https://goteleport.com/pricing/).

I've tried calling them -- it's the same problem though, giving them money is hard.

For what? https://goteleport.com/docs/faq/#how-is-open-source-different-from-enterprise

[AdamBouhmad]

Hi all, thanks for the feedback.

Every open core vendor will have different perspectives on where to draw the line on open source versus enterprise features. Our general view for assigning value to features that are enterprise vs. open source is whether it meets stringent compliance or regulatory requirements, or solves Enterprise level scale or reliability challenges. Our rationale is that Session Recording solves an enterprise compliance problem. If you need it, you are likely operating at enterprise scale or have enterprise/regulated challenges. For this reason, we've decided to make Session Recording HCP & Enterprise only at this time.

We've tried to be extremely thoughtful around what practitioner-focused features to make open source to the community vs what enterprise-focused features are based for our commercial-only offerings. While session recording is only available in our HCP and Enterprise offerings, we're very proud that all delegated authentication SSO via OIDC , LDAP , and any attribute-based authorization with managed groups are all fully open sourced in Boundary. After many discussions with users, we've come to the view that SSO and attribute-based authorization are table-stakes for adoption of a PAM product.

[sandstrom]

@AdamBouhmad Sounds like a reasonable approach!

My main complaint wasn't that some functionality is gated behind enterprise

It was that as a small company it's often hard to buy [for a reasonable price] the paid self-hosted version the product [often called enterprise].

That said, I've actually talked with a sales rep at your firm, and been offered $0.90 per session for self-hosted boundary, which is great!

I'm not sure we'll bite, but it's the same price as you charge for cloud HCP, which is exactly what I wanted -- i.e. my complaint above, that small firms cannot buy the paid self-hosted version for a reasonable price, doesn't hold in this case, since the price is indeed the same.

[AdamBouhmad]

@sandstrom Glad to hear it & completely reasonable. If you're willing, I'd love to learn more about what you're looking for from a PAM tool -- my email is adam.bouhmad@hashicorp.com, feel free to shoot me a message there if you want to chat more.

[leonk-sportsbet]

It's not quite clear from the documentation if Open source version supports ssh session recording. Can anyone shed some light on that?

[conor-mccullough]

Hey @leonk-sportsbet - currently session recording is available for Enterprise and HCP.

This is noted here, on the 0.13 release page. It's also mentioned in some other documents and blog posts as I recall, too.

[mataneine]

really disappointing, after all the wait and that's the result, thanks for nothing :(

[sandstrom]

@mataneine They need to make money though, most open source projects required people with salary to work on them full time. They had "Corp" in the name from the get-go, after all 😉

My disappointment is that the monetization path doesn't seem well adapted to smaller companies. We don't want to use HCP cloud, and their on-premise pricing is "call us" which is opaque and unpredictable.

Basically, the downside with signing such agreements is that next year when we're renewing, HashiCorp may call us and say prices are 2x higher this year.

We avoid such providers.

I much prefer the setup of AWS, which has basically never increased any prices, and the pricing is public and predictable.

[juliosueiras]

By the way, want to point out that the Documentation is extremely misleading in the Session Recording section since no mention of it being a ENT/HCP only feature

both under Configuration and Operations

[AdamBouhmad]

Thank you @juliosueiras @sandstrom & @leonk-sportsbet for the feedback. We now have a feature matrix published on our docs page, and put together a PR to have an enterprise badge displayed on Enterprise & HCPb only features within the docs.

If there are additional issues, please raise them. Thank you!