Re: SSH session audit
On Mon, Feb 19, 2018 at 05:21:13PM +0100, me@risca.eu wrote:
> On 2018-02-19 16:52, john doe wrote:
> > Isn't pam enough?:
> > https://linux.die.net/man/8/pam
> >
> > No need to install anything and it's quite versatile.
>
> Yes, this is in line with the other suggested options such as snoopy or
> pam_tty_audit. It could work as audit system, but it seems to me as a
> solution for more structured and corporate environment.
OK.
> In the described case I would like a solution that store record the session
> in a safe way, immutable and trustable, therefore encrypting all (only the
> owners have to be able to read it) and hosted on a read only resource (the
> user who logins should not be able to delete it) and provable (signed).
> I think that with pam there is the risk that a user with full access right
> could easily delete all the logs. Or that the log could be altered after.
>
You say that the PAM solution sounds too structured and corporate then
go on to describe a highly structured system that would be very
appropriate for a corporate environment.
The truth is that if you try to roll your own solution then you are
likely to make some sort of mistake and introduce a vulnerability. Even
if you think PAM is "too structured" you are better off using that than
making a mistake in your custom implementation and leaving a whole.
Another aspect is that in your initial post you say that you trust your
partner, but everything you have described since is specifically aimed
creating a solution resistant to an *untrusted* party. You seem to be
contradicting yourself on this point.
You might want to consider a whitelist of commands accessible via sudo.
Each access of sudo is logged by the system and if you do not permit the
user modify system logs, then that may meet your requirements.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: