Best practices for auditing SCP-based operations - Bastionhost

Bastionhost cannot audit secure copy (SCP) commands. To audit SCP-based operations by using Bastionhost, you can configure ProxyJump on your computer before you run SCP commands to transfer files.

Background information

ProxyJump is supported by OpenSSH 7.3 and later. When you run SCP commands to upload or download files from an SSH client on a computer configured with ProxyJump, the SSH client establishes a secure connection to your bastion host first. Then, the SSH client communicates with the host on which you want to upload or download files by using the bastion host. This way, you can use your bastion host to audit SCP-based operations.

Prerequisites

The on-premises client is connected to your bastion host and you can log on to the bastion host from the client. For more information about how to troubleshoot related issues, see FAQ about connections between clients and bastion hosts.
The hosts and host accounts on which you want to perform O&M operations are managed by the bastion host. For more information, see Add hosts and Manage a host account.
The user to be used to access the bastion host is authorized to manage the host. For more information, see Authorize a user to manage hosts or Authorize a user to manage host groups.
The client must be OpenSSH 7.3 or later.

Configure ProxyJump

Log on to the on-premises Linux computer.

Run the following command to create the config file in the .ssh directory and configure the parameters.

vim ~/.ssh/config

The following sample code provides an example on how to configure the parameters:

#-------Configuration of the bastion host---------#

# The alias of the bastion host.
Host bastion
    # The O&M address of the bastion host.
    HostName ****-public.bastionhost.aliyuncs.com 
    # The port number of the bastion host. The default port is 60022.
    Port 60022 
    # The user of the bastion host.
    User bastion-user
# -------Configuration of the host managed by the bastion host---------#

# The alias of the host.
Host target-host-A 
    # The IP address of the host.
    HostName 192.168.XX.XX 
    # The username of the host.
    User tagert-user
    # Configure ProxyJump. When you run SCP commands, the SSH client connects to the bastion host and then connects to the host target-host-A by using the bastion host.
    ProxyJump bastion 
# --------Support for multiple hosts--------#
#Host target-host-B
#    HostName 192.168.XX.XX 
#    User tagert-user
#    ProxyJump bastion

Run SCP commands to upload files to the host or download files to your computer. Examples:
- Upload a file to the host:
  The following sample code provides an example on how to upload the file-name.txt file to the home directory on the host target-host-A.
```
scp /file-name.txt target-host-A:/home/
```
- Download a file to your computer:
  The following sample code provides an example on how to download the file-name.txt file from the host target-host-A to the home directory on your computer.
```
scp target-host-A:/file-name.txt /home/
```

View audit logs in the bastion host

Log on to the bastion host to view the audit logs of SCP-based operations. For more information, see Search for sessions and view session details.