Re: SSH access to CF app instances on Diego


Guillaume Berche
 

Following up on James's description of the "papertrail" ssh audit traces
that the diego-ssh support is adding.

This is very useful to have these traces. Can you confirm these traces are
provided through loggregator (and don't appear in the cc events) ? I'm
however wondering how reliable can the loggregator-based logs be (as
loggregator is lossy and not designed to support reliable transport of
logs). While I understand there have been recent efforts to reduce the
lossy rate of loggregator, I'm wondering how easy it would be for a CF user
to cover its tracks (i.e. its "diego ssh" log entries), e.g. simply
flooding the loggregator with user traffic (having RTR and diego compete
for throughput into loggregator for a given app).

Thanks,

Guillaume.

On Thu, Jul 2, 2015 at 10:18 PM, James Myers <jmyers(a)pivotal.io> wrote:


From a security stand point, if you can ssh into a container, it means you
have write access to the application in CloudFoundry. Thus you can already
push new bits/change the application in question. All of the "papertrail"
functionality around pushing/changing applications exists for SSH as well
(we record events, output log lines, make it visible to users that action
was taken on the application), and thus concerned operators would be able
to determine if someone modifying the application in question.

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.