0

I was hoping to get some help with an approach that could be used...

I am building out a solution that will use SSH-CA (that is, SSH where authentication is done via certificates).

Flow is simple:

1) User generates key pair

2) Authenticates with HSM and gets public key signed

3) SSH server validates signature and cert and allows access

(there are extra bits, but this is basically it).

Here's my problem, I can monitor the cert requests and the SSH interactions, but how do I monitor the actions of a user?

As this is for devOps staff, they need root, so mostly folks will all be logged in to the SSH session as root.

I still need to tie commands issued to actual staff names or IDs.

Any smart ideas?

I thought of using:

  • Exploiting LD_PRELOAD to provide a rudimentary bread-crumb trail.

  • Usage of multiple certificate authorities, one per user.

  • Usage of UNIX groups, employing groups of groups.

But they're all icky solutions.

Woodstock
  • 103
  • 1
  • 1
  • 10
  • Use `auditd` for this. See https://serverfault.com/questions/470755/log-all-commands-run-by-admins-on-production-servers/475134#475134 – fuero Apr 06 '20 at 11:57
  • thanks @fuero, wouldn't think require additional CA per user? Also one last item, would this cover context switch, i.e. user login as X but then SU? – Woodstock Apr 06 '20 at 13:07

1 Answers1

1

I'll make this an answer :-)

For auditing commands issued by users (even after they switch to other uids with su or sudo) you need auditd.

You may find details on how to set it up, how to interpret the logs and caveats here.

fuero
  • 9,413
  • 1
  • 35
  • 40