Retrieve Audit of Device SSH Access

We’d like to know centrally when any of our devices have been accessed via SSH, preferably knowing audit information such as who accessed the device, and at what time.

I was wondering if there was any means to audit SSH access to our fleet devices?
When we Balena SSH over the Balena VPN - is there a trace of this on the cloud side you record already? Something perhaps we can pull an audit trail from?

Or does this come down to a device trying to inspect some low level OS logging for SSH access and sending this back to the cloud? :see_no_evil:
If this is the case, is there any advice on best practice when trying to scrape these events from system logs?

Any help or suggestions appreciated! Thanks

Louis

Hello Louis,
BalenaCloud does not have the feature of generating audit trails/logs for devices’ SSH access. We do understand the need & utility of the feature and hence are already working on building it. We cannot yet provide a date for its availability though.
We do have server side log statements in our codebase that come in handy when debugging device specific incidents. Thus, I can’t deny the presence of traces (for SSH access) on the cloud side. These log statements however were not put in place to facilitate generating trails. Therefore, collating/correlating them across orgs/fleets/users/devices to produce meaningful & exhaustive audit trails is infeasible for us.

Every device does log SSH login/logout events and they can be viewed using journalctl -u sshd*. However, these logs will not contain information that you are looking for. Usernames & permissions are resolved on the cloud. All balena ssh requests reach the device’s SSH server only if the request is authenticated & authorised by the cloud. From the device’s PoV, all logins come from the same user (viz. root) from an IP belonging to one of balena’s backend servers. Thus, scraping system logs of devices will not generate meaningful data.

Hope that helps.

Please feel free to ask any more questions you may have.

Thanks and regards,
Pranav

Thanks for the details @pranavpeshwe , it’s very helpful.

It’s great to hear you are developing this feature. I understand that you are not able to provide an exact date, but do you know if it would likely be available this year or next?
Would it be possible to subscribe to the development of this feature?
Thanks!

Hi Louis,
Please give us some time to get back on this. We need to discuss priorities internally before committing anything.

Thanks and regards,
Pranav

1 Like

Hi Louis, I will keep you posted on the feature development of audit logs, I can’t promise it’ll be before the end of the year, but I can provide some updates on our next check in!

1 Like