Teleport 4.2 Released - Enhanced Session Recording, Workflows, and GCP

Teleport 4.2

Introducing Teleport 4.2

Teleport 4.2 delivers a strong foundation of new features. We have a full list of improvements and fixes attached to our Teleport 4.2.0 GitHub release. Below are a couple of the highlights:

Read on for more details into how these foundational changes enhance Teleport’s auditing capabilities and integrate with your existing workflows.

Enhanced Session Recording - Alpha Release

Teleport has offered session recording since it’s inception and it still can blow people away to view detailed live recordings of sessions. Teleport 4.2 takes session recording to the next level with the ability to not only see the commands that are run but detailed information about the commands run, plus network connections and file activity. How detailed?

If you tried to audit…

echo Y3VybCBodHRwOi8vd3d3LmV4YW1wbGUuY29tCg== | base64 --decode | sh 

What do you think is happening?

Apart from looking like gobbledygook, the user has base64 encoded something to obfuscate their command.

With Enhanced Session Recording you’ll be able to see exactly what’s happening when someone tries to do this during a session.

It turns out the user is running three commands, sh, base64 to decode the message, and curl which was hidden in the string which was base64 encoded.

The resulting output will is returned in Teleports Audit log.

{
  "event": "session.command",
  "path": "/bin/sh",
  "program": "sh",
  "argv": [],
  "login": "centos",
  "user": "jsmith"
}
{
  "event": "session.command",
  "path": "/bin/base64",
  "program": "base64",
  "argv": [
    "--decode"
  ],
  "login": "centos",
  "user": "jsmith"
}
{
  "event": "session.command",
  "path": "/bin/curl",
    "argv": [
    "http://www.example.com"
  ],
  "program": "curl",
  "return_code": 0,
  "login": "centos",
  "user": "jsmith"
}
{
  "event": "session.network",
  "program": "curl",
  "src_addr": "172.31.43.104",
  "dst_addr": "93.184.216.34",
  "dst_port": 80,
  "login": "centos",
  "user": "jsmith",
  "version": 4
}
"_comment": "Extra log info has been removed for clarity",

From this Audit Log, it’s now possible to know that the user ran curl http://www.example.com.

What else can this be used for?

Usually session recordings are unstructured, making them difficult to ingest and perform monitoring and alerting on. The Enhanced Session Recording’s logs output and makes it easy to send session monitoring data to SIEM solutions or a centralized logging solution for alerting and monitoring.

What magic is this? 🔮

Teleport 4.2 has the ability to capture low-level Linux activity via the magic of Extended BPF. This method has been recently popularized by Brendan Gregg at Netflix for observability and he coined a BPF a ‘New Type of Software’. Many of these new features are available in 4.19 Linux Kernel.

To obtain this new superpower, we require a few things.

  1. All Teleport components should be upgraded to 4.2. We recommend starting with the Auth Server.
  2. Teleport Nodes with the ssh_service enabled should be running the 4.19 Linux Kernel or higher. For a list of compatible distros, see our docs.
  3. BCC tools should be compiled and built on the node.
    Follow instructions per distro here. We plan to use the packaged tools in future releases.
  4. Enhanced Auditing should be turned on from within teleport.yaml.

    # snippet from teleport.yaml
    ssh_service:
    enabled: yes
    enhanced_recording:
        enabled: true
    
    

    🎉 Success: It should be setup. Check /var/lib/teleport/log/ You can now easily alert and monitor on session activity.

👨‍🔬Coming Soon: We’ll have the ability to replay and view the logs in the Teleport UI. Contact [email protected] for early access.

Visit our Enhanced Session Recording documentation to learn more.

Warning: This feature uses cutting edge software & kernels. Administrators should be comfortable with using new distros and patching kernels. In testing we’ve found small VMs can’t build the supporting tools to compile BCC tools, it often requires 4G+ of RAM.

Role Escalation via a new Workflows API

Role Based Access Control is a cornerstone feature of Teleport Enterprise. It lets administrators define roles for users with a granular level of detail, allowing admins to apply the principle of least privilege. Sometimes the role you have isn’t enough.

Teleport 4.2 lets users request another role and provides a streamlined admin workflow to approve requests.

# User is requesting an escalated DBA Role. 
$ tsh login teleport-cluster --request-roles=dba
Seeking request approval... (id: bc8ca931-fec9-4b15)

# Admins can use tctl to view role escalation requests. 
$ tctl request ls
Token              Requestor Metadata       Created At (UTC)    Status  
------------------ --------- -------------- ------------------- ------- 
bc8ca931-fec9-4b15 alice     roles=dba      07 Nov 19 19:38 UTC PENDING

## An admin can now approve or deny the request.
$ tctl request approve bc8ca931-fec9-4b15

We are currently working on integrations with Jira and Slack to provide approval workflows. If you have a tool we should integrate with, please mail it to [email protected]

Visit our Approval Workflow documentation to learn more.

High Availability Teleport on Google Cloud Platform

Thanks to an external contributor, gh:joshdurbin, Teleport can now be setup in a high availability mode on GCP using Google Firestore and Google Storage. We’ve outlined all of the components needed to run Teleport in HA mode in our new GCP Infrastructure Guide.

High Availability Teleport on Google Cloud Platform" ></p>

<h2 id="other-updates">Other Updates</h2>

<p>There are many other improvements, upgrades, and bug fixes in Teleport 4.2. For full details, visit the <a href="https://github.com/gravitational/teleport/releases/tag/v4.2.0">Teleport Github Release page</a></p>

<h2 id="upgrading">Upgrading</h2>

<p>Minor versions are compatible within major releases, but we do recommend rolling out the upgrade across the whole fleet and updating clients’ <code>tsh</code> libraries as you upgrade. We always recommend backing up your Auth Server and updating it first. Enterprise and Pro customers should be sure to reach out to our support team if they run into any issues.</p>

<h3 id="bonus-invite-the-whole-team-to-the-gravitational-dashboard">Bonus.. Invite the whole team to the Gravitational Dashboard.</h3>

<p>You can invite additional team members to the Gravitational Dashboard. This can be helpful if you have different people in the organization rolling out Teleport and who require access to the Teleport License or to invite Milton from Accounting.</p>

<p><img src="../../blog/images/2019/dashboard.gravitational.com_add_users.png" alt="Inviting team members via the Gravitational Dashboard" title="Gravitational Dashboard" /></p>

<h2 id="try-it-now">Try it now.</h2>

<p>Download the latest packages from the <a href="https://dashboard.gravitational.com/web/">Gravitational Dashboard</a> or if you are an OSS user, you can download from <a href="https://gravitational.com/teleport/download/">gravitational.com/teleport/download</a>.</p>


        
        
        <p><strong>Related Posts</strong></p>
          <ul>
            
            <li><a href="../../blog/teleport-discovery-protocol/">Greed is Good: Creating Teleport’s Discovery Protocol</a></li>
            
            <li><a href="../../blog/ssh-handshake-explained/">SSH Handshake Explained | What is SSH Handshake?</a></li>
            
            <li><a href="../../blog/case-study-auth0/">Teleport Helps Auth0 Meet PCI and SSH Requirements</a></li>
            
          </ul>
        

        
        
        <a class="tag" href="../../tags/teleport/">teleport</a>
        
        <a class="tag" href="../../tags/ssh/">ssh</a>
        

      
      <div class="addthis_inline_share_toolbox"></div>
       
      
      <div class="blog-cta blog-article">
        <h3>Want to stay informed?</h3>
        <p>Subscribe to our newsletter to get articles and product updates.</p>



        <div class="l-center">
          <form class="form-email-cta" id="newsletter-single" data-name="blog">
            <input type="email" placeholder="Email Address" />
            <button type="submit">SIGN UP</button>
          </form>
        </div>
          
        </div>

        
        <div class="blog-follow-cta">
          <h3>Connect with Us</h3>
          <div class="addthis_inline_follow_toolbox"></div>
        </div>
      </article>

      
      <div id="toc" class="blog-side-nav l-side-bar">
  
  

    
  <h4 class="is-hidden-mobile">Articles by Topic</h4>

  <div class="blog-side-nav-tags">


    

    <ul id="blog-topics" class="blog-side-nav-tags"> 
      <li>
        <a href=announcements

  • company
  • cybersecurity
  • engineering
  • gravitational
  • gravity
  • kubernetes
  • programming
  • security
  • ssh
  • teleport
  • Start Using Teleport Today

    Teleport gives you security best-practices out of the box for the privileged access management of your cloud-native infrastructure.

    Demo Teleport Download Teleport

    This site uses cookies to improve service. By using this site, you agree to our use of cookies. More info.