In this article, we will discuss how to securely record SSH sessions on a Red Hat Enterprise Linux (RHEL) Virtual Server Instance (VSI) in a private Virtual Private Cloud (VPC) network. We will also cover the installation of RHEL packages using Ansible automation and setting up a highly available bastion host.

What is session recording and why is it required?

Session recording is the process of capturing and storing SSH sessions for auditing and compliance purposes. It allows administrators to review user sessions in the event of a security breach or to ensure compliance with regulatory requirements.

What is a private VPC network?

A private VPC network is a virtual private cloud that operates without any public ingress or egress network traffic. It does not have any public gateways on the subnets or floating IPs on the Virtual Server Instances (VSIs).

How do I connect to the private VPC network?

You can connect to the private VPC network using the client-to-site VPN option available on IBM Cloud. This VPN option allows users to connect to IBM Cloud resources through secure, encrypted connections. The client-to-site VPN is highly available with two VPN servers created in different availability zones.

Prerequisites

Before setting up SSH session recording, you need to provision the private VPC network using Terraform and have the necessary access credentials and certificates.

Provisioning the private VPC network using Terraform

To provision the private VPC network, follow these steps:

1. Set the Terraform variables for IBM Cloud API key and Secrets Manager certificate CRN.
2. Clone the GitHub repository for the private VPC network.
3. Run the Terraform commands to provision the VPC resources.

Connect to client-to-site VPN

After the VPC resources are provisioned, you need to download the VPN client profile and connect to the client-to-site VPN using the OpenVPN Client.

Verify the SSH connection

To verify the SSH connection, add the SSH private key to the SSH agent and use the SSH command to connect to the RHEL VSI through the bastion host.

Deploy session recording using Ansible

To deploy the session recording solution, you need to install the necessary packages (tlog, SSSD, cockpit-session-recording) on the RHEL VSI using Ansible automation. Run the Ansible playbook to install the packages.

Check the session recordings, logs and reports

To check the session recordings, logs, and reports, access the web console using the machine name or private IP over port 9090. Navigate to the Session Recording section to view the list of session recordings and other information.

Conclusion

SSH session recording is crucial for auditing and compliance in bastion hosts. In this article, we discussed how to securely record SSH sessions on RHEL in a private VPC network using in-built packages and Ansible automation. We also covered the provisioning of the private VPC network using Terraform and the setup of a highly available bastion host.

Recommended Reading

For more information on IBM Cloud VPC and related topics, refer to the following resources:

• Link 1
• Link 2

FAQs

What is a bastion host?

A bastion host is a security mechanism used in network and server environments to control and enhance security when connecting to remote systems. It acts as an intermediary between public traffic and the private network, passing SSH requests to downstream machines. However, bastion hosts are vulnerable to intrusion because they are exposed to public traffic.

Why is session recording important?

Session recording is important for auditing and compliance purposes. It allows administrators to audit user SSH sessions and ensure they comply with regulatory requirements. In the event of a security breach, session recording helps analyze user sessions for investigation and remediation.

How can I access the session recordings and other information?

To access the session recordings, logs, diagnostic reports, and other information, you can use the web console. The web console can be accessed using the machine name or private IP over port 9090. You will need the root password to log in.