Re: SSH access to CF app instances on Diego

Home Messages Hashtags Subgroups

Guillaume Berche #664 Following up on James's description of the "papertrail" ssh audit traces that the diego-ssh support is adding. This is very useful to have these traces. Can you confirm these traces are provided through loggregator (and don't appear in the cc events) ? I'm however wondering how reliable can the loggregator-based logs be (as loggregator is lossy and not designed to support reliable transport of logs). While I understand there have been recent efforts to reduce the lossy rate of loggregator, I'm wondering how easy it would be for a CF user to cover its tracks (i.e. its "diego ssh" log entries), e.g. simply flooding the loggregator with user traffic (having RTR and diego compete for throughput into loggregator for a given app). Thanks, Guillaume. toggle quoted messageShow quoted text On Thu, Jul 2, 2015 at 10:18 PM, James Myers <jmyers(a)pivotal.io> wrote: From a security stand point, if you can ssh into a container, it means you have write access to the application in CloudFoundry. Thus you can already push new bits/change the application in question. All of the "papertrail" functionality around pushing/changing applications exists for SSH as well (we record events, output log lines, make it visible to users that action was taken on the application), and thus concerned operators would be able to determine if someone modifying the application in question. attachment.html
More All Messages By This Member

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.