Identifying users in an `aptible ssh` context


#1

For compliance purposes, we’re trying to log the initiating user for every PHI-related read, write, update, and delete. So if Kevin deletes 3 db records, we want to log who did it (Kevin).

This is easy in a web request context: we just log the current logged-in user.

It’s a bit harder in an aptible ssh context. For example, if Kevin opens a rails console with aptible ssh rails console, I’d love some way to tell the rails logging mechanism that the user who initiated this command was Kevin.

I’m wondering if anyone has any suggestions? I was hoping that maybe the aptible ssh command forwarded along an env variable or something I could use to determine which aptible user executed it, but no such luck.

Right now my best alternatives seem to be:

  • Fork the aptible cli to provide the currently authed aptible user as an env variable through ssh and use that fork.
  • Convince everyone with an aptible account at my company to run aptible ssh bash -c "USERNAME=$(whoami) rails console" instead of aptible ssh rails console

Neither are super elegant solutions, so I thought I’d ask here: does anyone have a good way to identify the current user from the context of an aptible ssh session?


#2

Hi Kevin,

(Just responding from Aptible’s perspective - other Aptible customers may of course have a different one)

Unfortunately, exposing the user that ran aptible ssh in an environment variable would be trivially forgeable by whoever is running the aptible ssh session, which makes this kind of logging worth little from an audit perspective (precisely because anyone determined to fool your audit logging can easily do so).

Since we don’t want to encourage a false sense of security, we indeed don’t expose this information in your container’s environment. If there are other approaches we could facilitate, we’re of course interested in hearing about them!

Cheers,


#3

Yeah, that’s pretty understandable. For our purposes, self-reported identification is probably alright (since we also have aptible’s more reliable record of “Kevin SSHed on November 8, 2016 0:24AM UTC” for each app that we can corroborate with our own logs if necessary).

On a related note, any suggestion on how I might send logs to the log drain from within and aptible ssh session? It just occurred to me that stdout from there doesn’t get captured (which makes sense– stdout is going to the ssh session instead). But I’m trying to get logging from the rails console on aptible to our log drains and the best option I can think of is to write a custom rails logger that makes https requests instead of printing to stdout.


#4

For the time being, this is probably the best approach. We have definitely considered capturing SSH sessions and sending their output to Log Drains though. It’s still pretty far off, but this could eventually become a built-in feature.

Cheers,


#5

Hi there,

Logging from SSH sessions is now available: https://www.aptible.com/changelog/capture-ssh-session-logs-with-log-drains/


#6

I saw the announcement. Very cool!