1

I have a virtual machine running (currently using virtualbox, but this is flexible), which users ssh into. I would like to log the actions the users take in the terminal, but do it from outside the VM. Is this feasible? Do I need to use a different hypervisor?

Davis Yoshida
  • 113
  • 3
  • Have you thought about enabling auditing within the VM, but set it up to log to a 'remote' system which is another VM or something the users do not have access to? Sure they could disable auditing, but you might be able to watch for that. – Zoredache Nov 17 '14 at 23:37

1 Answers1

2

I'm not aware of any hypervisor that has functionality like this, and even if they did, you're talking about trying to capture the interactions of a protocol that's designed with security in mind.

It sounds like you're using a *nix-based OS, which makes me think you'd get a lot of mileage out of OS-integrated monitoring and auditing tools (which have a long and rich heritage) as opposed to trying to roll something one-off yourself. What's your aversion to using monitoring tools within the VM?

If you can't do that, you should think about terminating the SSH connections on a dedicated monitoring VM, and using a less security-oriented protocol for the communication between that monitoring VM and the VM where you want logging to occur. (Obviously, you're creating a potential security concern by doing this, so you'd want to proceed with all due caution.)

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • My aversion is that this VM is designed for users to get root access on, so doing anything on the OS level is subject to users deleting or tampering with the logs. I do like the solution with forwarding though. Thanks! – Davis Yoshida Nov 17 '14 at 22:37
  • @DavisYoshida - Yeah-- in that case I think you're stuck. If the user has root then you're pretty much going to have to do something outside the VM. A jump box with some kind of monitoring solution is probably the answer. Limiting access to the monitored VM (including limiting access to side channels) may be very important, depending on exactly what you're protecting. – Evan Anderson Nov 17 '14 at 22:42
  • This is fairly low stakes. The worst case scenario is I have to spin up a new VPS. – Davis Yoshida Nov 18 '14 at 00:50