# Create a new folder for the log files
# Allow ec2-user only to access this folder and its content
chown ec2-user:ec2-user /var/log/bastion
chmod -R 770 /var/log/bastion
setfacl -Rdm other:0 /var/log/bastion
# Make OpenSSH execute a custom script on logins
echo -e “\nForceCommand /usr/bin/bastion/shell” >> /etc/ssh/sshd_config
# Block some SSH features that bastion host users could use to circumvent
# the solution
awk ‘!/AllowTcpForwarding/’ /etc/ssh/sshd_config > temp && mv temp /etc/ssh/sshd_config
awk ‘!/X11Forwarding/’ /etc/ssh/sshd_config > temp && mv temp /etc/ssh/sshd_config
echo “AllowTcpForwarding no” >> /etc/ssh/sshd_config
echo “X11Forwarding no” >> /etc/ssh/sshd_config
cat > /usr/bin/bastion/shell << ‘EOF’
# Check that the SSH client did not supply a command
if [[ -z $SSH_ORIGINAL_COMMAND ]]; then
# The format of log files is /var/log/bastion/YYYY-MM-DD_HH-MM-SS_user
LOG_FILE=”`date –date=”today” “+%Y-%m-%d_%H-%M-%S”`_`whoami`”
# Print a welcome message
echo “NOTE: This SSH session will be recorded”
echo “AUDIT KEY: $LOG_FILE”
# I suffix the log file name with a random string. I explain why
# later on.
SUFFIX=`mktemp -u _XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX`
# Wrap an interactive shell into “script” to record the SSH session
script -qf -t $LOG_DIR$LOG_FILE$SUFFIX.time $LOG_DIR$LOG_FILE$SUFFIX.data -c /bin/bash
# The “script” program could be circumvented with some commands
# (e.g. bash, nc). Therefore, I intentionally prevent users
# from supplying commands.
echo “This bastion supports interactive sessions only. Do not supply a command”
# Make the custom script executable
chmod a+x /usr/bin/bastion/shell
# Bastion host users could overwrite and tamper with an existing log file
# using “script” if they knew the exact file name. I take several measures
# to obfuscate the file name:
# 1. Add a random suffix to the log file name.
# 2. Prevent bastion host users from listing the folder containing log
# This is done by changing the group owner of “script” and setting GID.
chown root:ec2-user /usr/bin/script
chmod g+s /usr/bin/script
# 3. Prevent bastion host users from viewing processes owned by other
# users, because the log file name is one of the “script”
# execution parameters.
mount -o remount,rw,hidepid=2 /proc
awk ‘!/proc/’ /etc/fstab > temp && mv temp /etc/fstab
echo “proc /proc proc defaults,hidepid=2 0 0” >> /etc/fstab
# Restart the SSH service to apply /etc/ssh/sshd_config modifications.
service sshd restart