Introduction
This article will help you enable the feature on your HCP Boundary cluster (Plus tier or Enterprise is required).
Boundary improves security with SSH session recording, which can deter users from questionable or malicious activity. It allows administrators to record every SSH session, which can immediately be played back to detail the commands and actions executed by each user. In the event of a threat incident, session recording facilitates analysis to help identify the origin, scope, and impact and expedite remediation plans.
More information about the feature is available here:
Session Recording and Audit Logs
Boundary 0.13 Introduces SSH Session Recording Boundary Enterprise and More
Prerequisites
Existing HCP workers do not support session recording.
An example configuration file of a session recording worker is available here:
disable_mlock = true
hcp_boundary_cluster_id = "<cluster_id>"
listener "tcp" {
address = "0.0.0.0:9202"
purpose = "proxy"
}
worker {
public_addr = "<public_addr>"
auth_storage_path = "<auth_storage_path>"
tags {
type = ["<tag>", "<tag1>"]
}
recording_storage_path = "<recording_storage_path>"
}
- <cluster_id> on line 3 should be replaced with the HCP Boundary Cluster ID, such as 1a2b3c4c5-1a2b3c-4a5b6c-7713-1a3bc5. Can be obtained from the HCP Boundary cluster URL (https://1a2b3c4c5-1a2b3c-4a5b6c-7713-1a3bc5.boundary.hashicorp.cloud
- <public_addr> should match the public IP or DNS name of your self-managed worker instance.
- <auth_storage_path> is a local path where a worker will store its PKI credentials. Storage should not be shared between workers.
- <tags> Boundary can use tags to define key-value pairs which targets can use to determine where they should route connections
- <recording_storage_path> is a local path for storing in-progress session recordings. On session closure, a local session recording is moved to remote storage and deleted locally: https://developer.hashicorp.com/boundary/docs/configuration/worker/pki-worker#session-recording-hcp-ent
Here's that same example:
disable_mlock = true
hcp_boundary_cluster_id = "1a2b3c4c5-1a2b3c-4a5b6c-7713-1a3bc5"
listener "tcp" {
address = "0.0.0.0:9202"
purpose = "proxy"
}
worker {
public_addr = "1.2.3.4"
auth_storage_path = "/home/ubuntu/boundary/worker-hcp-boundary/worker1"
tags {
type = ["worker", "worker-session-recording"]
}
recording_storage_path = "/home/ubuntu/boundary/worker-hcp-boundary/recordings"
}
Procedure
Once we have obtained the following from the above 2 steps, we can move forward to the HCP Boundary UI.
- Worker Auth Registration Request
- S3 Bucket name, Region, Access key ID (The access key ID for the IAM user to use with this storage bucket), Secret access key (The secret access key for the IAM user to use with this storage bucket)
Step 1. Register the Worker (Skip Step 6) within HCP Boundary UI:
Step 2. Add a New Storage Bucket (skip to Complete the following steps to create a storage bucket in Boundary for session recording) within the HCP Boundary UI.
Note: The Storage Bucket Worker filter has to match a tag of the tags of the worker you created above e.g.:
"worker-session-recording" in "/tags/type"
Step 3. Enable session recording on a target
Additional Information
For additional questions or support, please open a Support ticket.