Deploy a Session Recording Solution Using Ansible and Audit Your Bastion Host

Learn how to record SSH sessions on a Red Hat Enterprise Linux VSI in a Private VPC network using in-built packages. The VPC private network is provisioned through Terraform and the RHEL packages are installed using Ansible automation.

What Is Session Recording and Why Is It Required?

As noted in "Securely record SSH sessions on RHEL in a private VPC network," a Bastion host and a jump server are both security mechanisms used in network and server environments to control and enhance security when connecting to remote systems. They serve similar purposes but have some differences in their implementation and use cases. The Bastion host is placed in front of the private network to take SSH requests from public traffic and pass the request to the downstream machine. Bastion hosts and jump servers are vulnerable to intrusion as they are exposed to public traffic.

Session recording helps an administrator of a system to audit user SSH sessions and comply with regulatory requirements. In the event of a security breach, you as an administrator would like to audit and analyze the user sessions. This is critical for a security-sensitive system. 

Before deploying the session recording solution, you need to provision a private VPC network following the instructions in the article, "Architecting a Completely Private VPC Network and Automating the Deployment." Alternatively, if you are planning to use your own VPC infrastructure, you need to attach a floating IP to the virtual server instance and a public gateway to each of the subnets. Additionally, you need to allow network traffic from public internet access. 

Deploy Session Recording Using Ansible

To be able to deploy the Session Recording solution you need to have the following packages installed on the RHEL VSI:

• tlog
• SSSD
• cockpit-session-recording

The packages will be installed through Ansible automation on all the VSIs both bastion hosts and RHEL VSI.

1. If you haven't done so yet, clone the GitHub repository and move to the Ansible folder.

git clone https://github.com/VidyasagarMSC/private-vpc-network
cd ansible

2. Create hosts.ini from the template file.

cp hosts_template.ini hosts.ini

Update the hosts.ini entries as per your VPC IP addresses.

[bastions]
10.10.0.13
10.10.65.13

[servers]
10.10.128.13


[bastions:vars]
ansible_port=22
ansible_user=root
ansible_ssh_private_key_file=/Users/vmac/.ssh/ssh_vpc
packages="['tlog','cockpit-session-recording','systemd-journal-remote']"

[servers:vars]
ansible_port=22
ansible_user=root
ansible_ssh_private_key_file=/Users/vmac/.ssh/ssh_vpc
ansible_ssh_common_args='-J [email protected]'
packages="['tlog','cockpit-session-recording','systemd-journal-remote']"

3. Run the Ansible playbook to install the packages from an IBM Cloud private mirror/repository.

ansible-playbook main_playbook.yml -i hosts.ini --flush-cache

You can see in the image that after you SSH into the RHEL machine now, you will see a note saying that the current session is being recorded.

Check the Session Recordings, Logs, and Reports

If you closely observe the messages post SSH, you will see a URL to the web console that can be accessed using the machine name or private IP over port 9090. To allow traffic on port 9090, in the Terraform code, Change the value of the allow_port_9090 variable to true and run terraform apply. The latest terraform apply will add ACL and security group rules to allow traffic on port 9090. 

1. Now, open a browser and navigate to http://10.10.128.13:9090 . To access using the VSI name, you need to set up a private DNS (out of scope for this article). You need a root password to access the web console.

2. Navigate to session recording to see the list of session recordings. Along with session recordings, you can check the logs, diagnostic reports, etc.

Recommended Reading 

• How to use Schematics - Terraform UI to provision the cloud resources
• Automation, Ansible, AI