How does one combine something like teleport with policies and audit logging? I'm referring to the recent controversy around Uber employees playing with sensitive data.
Can you use Teleport (or anything else really) to enforce access policies and most importantly audit logging. Especially when combined with hardware tokens like u2f keys,etc
This will be out in 1.5 release. Using this RBAC you can deny access to machines based on user's role (e.g. prevent developers from accessing nodes labelled as DB) and limit their logins as unprivileged users.
But this works on a server level, not on DB/connection level. Teleport's audit logs will help to inspect the event after the fact, however to prevent data exfiltration one needs to deploy a solution that oversees SSH, TLS and all other possible connections to enforce policies on all possible data paths.
Is there any documentation about your audit logs. In general, most startups will generally be inclined towards detailed audit logging than upfront security for your developers.
Would your logs also trap all commands that were executed after logging in ? How do you tie an SSH session with activity of that session.
We don't have detailed docs on our audit logs yet.
Here's short description:
Teleport's SSH servers capture PTY output and send logs to the audit server alongside with session metadata.
Every SSH session has a unique identifier, teleport users participated in this session and captured activity.
Sessions (structured events) and audit logs can be stored in various sources, for example recently we've implemented SumoLogic for audit events and S3 for session recordings for some of our customers to upload and store this information.
Obviously, you could do various things (especially if you are root) to tamper with this system. For these use cases I would use something like https://github.com/draios/falco to capture all application-level activity.
This is awesome ! Would love to see a doc for detailed audit logging when you have one up.
This in itself is a killer app !
EDIT: one more request, please make you docs/makefile a little more beginner friendly. For example, your get-started page (or your makefile target) does not have systemd targets in place. I think you guys take care of necessary selinux permissions inside code.. but not sure if it does so for /var/lib/teleport.
it might be useful to consider using ansible (which will make this very practical for devops)
Can you use Teleport (or anything else really) to enforce access policies and most importantly audit logging. Especially when combined with hardware tokens like u2f keys,etc