Bastion Logging - Linux Bastion Hosts on the AWS Cloud

Bastion Logging

The bastion hosts deployed by this Quick Start provide a command logger in the /var/log/bastion/bastion.log file. This log file contains the following information: the date, the SSH client connection IP address, the user name, the working directory, and the commands issued.

For added security, the contents of the /var/log/bastion/bastion.log file is also stored in a CloudWatch Logs log group in the AWS Cloud, and will remain available in case the bastion hosts fail.

The log includes a history of all the commands that are executed when a user logs in. For example, Figure 5 shows a log that recorded that a user logged in through a specific IP address and attempted to remove the password file as a standard user, and then escalated to root access and tried to remove the bastion log.

            Command logger for bastion hosts

Figure 5: Command logger for bastion hosts


If you’d like to notify your users that all their commands will be monitored and logged, we recommend that you enable the bastion host banner, as described in the previous section. The default banner text includes the alert shown in Figure 4, and you can customize the wording as necessary.

The bastion.log file has the immutable bit set, so it cannot be easily removed or tampered with. If a malicious user does find the bastion.log file, somehow gains root privileges, removes the protections, and deletes the log file, there is a shadow file that contains a copy of the log. The shadow file is located in /var/log/bastion/.bastion.log. The shadow file is just a copy—an attacker can find and delete it. For this reason, the Quick Start also stores the contents of the bastion.log file remotely using the CloudWatch Logs service. The log files can be found under CloudWatch Logs using the instance ID as the log stream name.