Recording SSH Sessions
There are times when it’s not enough to have metadata of what somebody did in an SSH session. Finding the root cause of an issue by sorting through audit logs takes time and doesn’t guarantee you’ll figure exactly what went wrong. It’s like looking at footprints to figure out what someone did and where they went. This is where full recording of SSH session becomes indispensable.
Privileged session recording, or SSH session recording, means recording the user’s actual screen during their SSH session for real-time or later playback. If audit logging is akin to tracking footprints to learn what someone did, session recording is like having security surveillance that you could watch live or replay later.
Analysts and research companies advise security and infrastructure leaders to deploy SSH session recording solutions as soon as possible for the following reasons:
Secure low-level root infrastructure. Having video recording of raw shell sessions, in addition to logs and metadata, helps find the root cause of alerts and issues so they can be fixed faster. Live session viewing lets you watch SSH sessions and stop suspicious or wrongful activity in its tracks.
Meet security compliance requirements. Some organizations are beginning to require that all privileged (SSH) sessions not only be logged but also recorded, along with metadata that proves precisely which employee viewed what data. Capturing forensic-level detail of low-level access to infrastructure has even become a key ingredient to legally processing end-user data like cookies or web server logs.
Reduce operational overhead. When something goes wrong in the system it’s not always because of a security issue. More often than not it’s caused by a mistake by someone on the team. Finding out who caused it and what exactly went wrong is easy when you can just watch a video of the session in question. And recording SSH sessions, even sessions coming from SSH-integrated tools like database interfaces or integrated development environments, can be easily done.
Training and knowledge sharing. New engineers can watch replays of live SSH sessions to learn faster, make fewer mistakes and more quickly gain the confidence of their peers and senior leads.
Further visibility. If you’re responsible for the organization’s engineering infrastructure, you just want to see who’s running SSH sessions and what they’re doing, beyond what is in the logs and what people tell you.
Sharing Sessions Activity in Real Time
Beyond replaying SSH sessions, there are good reasons to be able to view and share SSH sessions in real-time. From a security perspective, you can watch suspicious activity and stop it in its tracks, or shadow individuals as they perform sensitive work on secure servers — the “four eyes” principle. From a collaboration and training perspective, you can invite a team member to a live SSH session so you could troubleshoot a problem together or conduct training.
Recording SSH sessions is painless with Teleport
Complete session logging and recording, including metadata and user identities, across entire clusters. Keep the full recordings of all interactive SSH sessions within any region or datacenter topology, from spot instances on modern clouds to old servers buried in phone closests. Teleport automatically records and stores all SSH sessions on the nearest bastion or “admin box” without requiring complicated client configuration. Recorded sessions can be replayed via command line interface or via web-based player.
Separation between the privileged session and its recording. The session recording is encrypted, compressed and stored in a separate server from where the privileged session occurred, so it can’t be tampered with.
Real-time session monitoring and sharing. Invite others to watch your SSH session by entering a URL in their browser or a session ID in their terminal. View documentation for sharing SSH sessions.