osh-encrypt-rsync.conf

Note

The osh-encrypt-rsync script is called by cron and is responsible for encrypting and optionally pushing the recorded ttyrec files to a distant server, along with the user logs (/home/*/*.log) and user sqlite files (/home/*/*.sqlite). The global log and sqlite files are also handled (located in /home/logkeeper/). Note that logs sent through syslog are NOT managed by this script.

Warning

If left unconfigured, this script won't do anything, and the recorded ttyrec files, along with the log and sqlite files won't be encrypted or moved out from the server. This might not be a problem for low-traffic bastions or if you have plenty of storage available, though.

Option List

Logging options

These options configure the way the script logs its actions

Encryption and signing options

These options configure how the script uses GPG to encrypt and sign the ttyrec files

Push files to a remote destination options

These options configure the way the script uses rsync to optionally push the encrypted files out of the server

Option Reference

Logging

logfile

Type

string, path to a file

Default

""

File where the logs will be written to (don't forget to configure logrotate!). Note that using this configuration option, the script will directly write to the file, without using syslog. If empty, won't log directly to any file.

syslog_facility

Type

string

Default

"local6"

The syslog facility to use for logging the script output. If set to the empty string, we'll not log through syslog at all. If this configuration option is missing from your config file altogether, the default value will be used (local6), which means that we'll log to syslog.

verbose

Type

int >= 0

Default

0

The verbosity level of the logs produced by the script 0: normal (default) 1: log more information about what is happening 2: log debug-level information

Encryption and signing

signing_key

Type

string, GPG key ID in short or long format

Default

(none), setting a value is mandatory

ID of the GPG key used to sign the ttyrec files. The key must be in the local root keyring, check it with gpg --list-secret-keys

signing_key_passphrase

Type

string

Default

(none), setting a value is mandatory

This passphrase should be able to unlock the signing_key defined above. As a side note, please ensure this configuration file only readable by root (0640), to protect this passphrase. As a security measure, the script will refuse to read the configuration otherwise.

recipients

Type

array of array of strings, a string being a GPG key ID in short or long format

Default

(none), setting a value is mandatory

The ttyrecs will be encrypted with those GPG keys, possibly using multi-layer GPG encryption. Each sub-array is a layer, the first sub-array being the first encryption layer (which is also the last one for decryption) To completely decrypt a ttyrec, one would need at least one key of each layer. To encrypt only to a single layer and to only one key, simply use [ [ "KEYID" ] ]. To encrypt to a single layer but with 3 keys being able to decrypt the ttyrec, use [ [ "KEY1", "KEY2", "KEY3" ] ], etc. A common use of multi-layer encryption is to have the first layer composed of the auditors' GPG keys, and the second layer composed of the sysadmins' GPG keys. During an audit, the sysadmins would get the ttyrec encrypted file, decrypt the second encryption layer (the first for decryption), and handle the now only auditor-protected file to the auditors. All public keys must be in the local root keyring (gpg --list-keys). Don't forget to trust those keys "ultimately" in root's keyring, too (gpg --edit-key ID)

encrypt_and_move_to_directory

Type

string, a valid directory name

Default

"/home/.encrypt"

After encryption (and compression), move ttyrec, user sqlite and user log files to subdirs of this directory. It'll be created if it doesn't exist yet. You may want this directory to be the mount point of a remote filer, if you wish. If you change this, it's probably a good idea to ensure that the path is excluded from the master/slave synchronization, in /etc/bastion/osh-sync-watcher.rsyncfilter. This is already the case for the default value.

encrypt_and_move_ttyrec_delay_days

Type

int > 0, or -1

Default

14

Don't touch ttyrec files that have a modification time more recent than this amount of days. The files won't be encrypted nor moved yet, and will still be readable by the selfPlaySession command. You can set this to a (possibly) much higher value, the only limit is the amount of disk space you have. If set to -1, the ttyrec files will never get encrypted or moved by this script. The eligible files will be encrypted and moved to encrypt_and_move_to_directory. NOTE: The old name of this option is encrypt_and_move_delay_days. If it is found in your configuration file and encrypt_and_move_ttyrec_delay_days is not, then the value of encrypt_and_move_delay_days will be used instead of the default.

encrypt_and_move_user_logs_delay_days

Type

int >= 31, or -1

Default

31

Don't touch user log files (/home/*/*.log) that have been modified more recently than this amount of days. The bare minimum is 31 days, to ensure we're not moving a current-month file. You can set this to a (possibly) much higher value, the only limit is the amount of disk space you have. If set to -1, the user log files will never get encrypted or moved by this script. The eligible files will be encrypted and moved to encrypt_and_move_to_directory.

encrypt_and_move_user_sqlites_delay_days

Type

int >= 31, or -1

Default

31

Don't touch user sqlite files (/home/*/*.sqlite) that have been modified more recently than this amount of days. The files won't be encrypted nor moved yet, and will still be usable by the selfListSessions command. The bare minimum is 31 days, to ensure we're not moving a current-month file. You can set this to a (possibly) much higher value, the only limit is the amount of disk space you have. If set to -1, the user sqlite files will never get encrypted or moved by this script. The eligible files will be encrypted and moved to encrypt_and_move_to_directory.

Push files to a remote destination

rsync_destination

Type

string

Default

""

Example

"user@remotebackup.example.org:/remote/dir"

The value of this option will be passed to rsync as the destination. Note that the source of the rsync is already configured above, as the encrypt_and_move_to_directory. We only rsync the files that have already been encrypted and moved there. If this option is empty, this will disable rsync, meaning that the ttyrec files will be encrypted, but not moved out of the server. In other words, the files will pile up in encrypt_and_move_to_directory, which can be pretty okay in you have enough disk space.

rsync_rsh

Type

string

Default

""

Example

"ssh -p 222 -i /root/.ssh/id_ed25519_backup"

The value of this option will be passed to rsync's --rsh option. This is useful to specify an SSH key or an alternate SSH port for example. This option is ignored when rsync is disabled (i.e. when rsync_destination is empty).

rsync_delay_before_remove_days

Type

int >= 0, or -1

Default

0

After encryption/compression, and successful rsync of encrypt_and_move_to_directory to remote, wait for this amount of days before removing the encrypted/compressed files locally. Specify 0 to remove the files as soon as they're transferred. This option is ignored when rsync is disabled (i.e. when rsync_destination is empty). Note that if rsync is enabled (see rsync_destination above), we'll always sync the files present in encrypt_and_move_to_directory as soon as we can, to ensure limitation of logs data loss in case of catastrophic failure of the server. The rsync_delay_before_remove_days option configures the number of days after we remove the files locally, but note that these have already been transferred remotely as soon as they were present in encrypt_and_move_to_directory. To rsync the files remotely but never delete them locally, set this to -1.