Compliance / Logging Mode

[staaldraad]

In certain conditions it would be useful to have enforced logging available. Especially in cases where logs are required for compliance, having upterm record the session and export logs would be extremely useful.

This would also position upterm to fulfil a role similar to what sudo_pair does. It lacks the "approve" feature, but engineers who are performing sensitive actions have both another engineer reviewing actions during the session, and exported logs for future audit requirements.

Expected behaviour

There are multiple options here, but the first requirement would be that the session is started in "compliance" mode. This would be through a flag --compliance. The user could also specify a log file location.

One option with the log file generation is to only generate the log file on the host side. Alternatively a client that connects to a host that has --compliance enabled would also start recording logs. The benefit here is that there are two records of the logs and you remove the single party responsibility.

Actual logging can be added to the stdin, stdout and stderr of the session. This would need to be added to the session.stdin etc, maybe an io.Pipe that does session.stdin --> logger-pipe --> ptx.stdin

[arogic]

Hi @staaldraad, I totally agree. This would be a very useful feature. Just wondering if you have a workaround, something like using asciinema or script to achieve this?

Thanks in advance.