How do we audit SSH usage?
The best way is with Teleport.
How do we audit SSH usage and track what is done on a host?
The best way is with Teleport by Gravitational. We’ve implemented this for many customers. The Helm Charts are open-sourced by us in our charts repository and we provide helmfiles for their installation.
We also have our own solution called
sudosh, but that’s subpar by comparison. It’s an extremely simple wrapper for
sudo that enables it to be used as a system login shell. We use
sudo, which natively supports session logs and replay. The downside with this solution is the difficultly in securing and shipping the binary logs somewhere. On the other hand, Teleport handles this seamlessly in a tamper-resistant manner. In addition, the
sudo logs are binary, so shipping them to a log store like Sumologic or Splunk is not recommended.