Add Teleport Cloud instructions to two guides #11381
Conversation
ptgott
force-pushed
the
paul.gottschling/10634-1
branch
from
340e962 to
78990ea
Compare
There was a problem hiding this comment.
These look good to me.
This wasn't part of the changes, but I wonder if this should be changed in any example teleport.yaml config files:
# Replace with IP of Teleport Auth server.
- 127.0.0.1:3025
Can't the auth_servers value also be a fully qualified domain name? So they wouldn't necessarily need to use the IP. Maybe say Replace with IP or fully qualified domain name of the Teleport Auth server.
ptgott
force-pushed
the
paul.gottschling/10634-1
branch
from
78990ea to
8a7dc9b
Compare
|
@ulysseskan I've suggested using the more vague "address" |
ptgott
force-pushed
the
paul.gottschling/10634-1
branch
2 times, most recently
from
9543976 to
a517feb
Compare
|
|
||
| <Notice type="tip"> | ||
|
|
||
| Our Standard Session Recording works with older Linux Kernels. View |
There was a problem hiding this comment.
Kernel or kernel? We use both in this doc and should probably choose one and be consistent.
|
|
||
| ```yaml | ||
| # Example config to be saved as etc/teleport.yaml | ||
| teleport: | ||
| nodename: graviton-node | ||
| auth_token: exampletoken | ||
| auth_servers: | ||
| # Replace with IP of Teleport Auth server. | ||
| # Replace with the address of the Teleport Auth Server. |
There was a problem hiding this comment.
Would it make sense to only show the config block related to enhanced recording?
For example, this field can be the auth server or the proxy server. We cover this in other documentations, and going into detail about that here would distract from enhanced recording.
There was a problem hiding this comment.
I think the advantage of using this approach is that the user can paste everything in this snippet into the config file on the Node, make minor adjustments, and proceed to the next step, without having to navigate through the docs. The current Step 2 is incomplete, so I've fleshed it out.
|
|
||
| The resulting enhanced session recording will be shown in [Teleport's Audit Log](../../architecture/authentication.mdx#audit-log). | ||
| If you would like to examine your audit log on the Teleport Auth Service host, | ||
| you can examine the contents of `/var/lib/teleport/log` as shown below: |
There was a problem hiding this comment.
Note: This only applies if using a file-based event log. (Not when using S3 or other cloud storage for audit events)
There was a problem hiding this comment.
Added a Details section about this
ptgott
force-pushed
the
paul.gottschling/10634-1
branch
from
a517feb to
54c0057
Compare
ptgott
force-pushed
the
paul.gottschling/10634-1
branch
3 times, most recently
from
f7d3c82 to
fc88777
Compare
| ## Step 1/3. Install and configure Teleport node | ||
| (!docs/pages/includes/tctl.mdx!) | ||
|
|
||
| ## Background |
There was a problem hiding this comment.
It feels like this section is too far down on the page. Most readers aren't going to know by default what "Enhanced Session Recording" is or why they would want it.
Should we move some or all of this to the intro before the pre-requisites so we don't lose readers?
There was a problem hiding this comment.
I've restored the original introductory section with some light copy-edits.
| The disadvantage is that session recordings can be bypassed using several | ||
| techniques: |
There was a problem hiding this comment.
Maybe reword this? The sessions are still recorded, so I'm not sure I would describe it as session recording being bypassed.
The disadvantage is really that the users true actions can be hidden or obfuscated in such a way that it's hard to determine what actually happened by watching the recording (even though the recording does accurately reflect the session).
| advanced security, greater logging capabilities, and better correlates a user | ||
| with their activities. | ||
|
|
||
| ## Step 1/2. Configure a Teleport Node |
There was a problem hiding this comment.
This whole section is mostly prerequisites and not related to enhanced recording. Is the intent that every guide involving SSH nodes should include steps for installing teleport, creating a join token, and joining the cluster? Or can we just document that process in one place and have guides assume you have a node running?
There was a problem hiding this comment.
I wanted to make this more like our Database Access guides (e.g., https://goteleport.com/docs/database-access/guides/mongodb-atlas/) where we include as much information as possible in a single guide so users don't need to break focus to follow the guide (https://goteleport.com/docs/contributing/documentation/style-guide/#how-to-guides).
See #10634 Restricted Sessions for SSH While this already includes a compatibility note, I wanted to ensure that users would only see information relevant to the scope they had selected. Changes made: - Added a tabbed Prerequisites section - Removed instructions to install the Auth/Proxy that implicitly applied to all scopes - Misc style/grammar/clarity edits BPF Session Recording - Add scoped tabs - Merge steps 2 and 3, which both involved examining the audit log to verify that Enhanced Session Recording is enabled - Misc style/grammar/clarity tweaks
- Fix style - Flesh out the Node setup section - Add Details about file-based event logs
Restore the introductory section with minor copy-edits.
ptgott
force-pushed
the
paul.gottschling/10634-1
branch
from
fc88777 to
0358013
Compare
Backports #11381 * Add Teleport Cloud instructions to two guides See #10634 Restricted Sessions for SSH While this already includes a compatibility note, I wanted to ensure that users would only see information relevant to the scope they had selected. Changes made: - Added a tabbed Prerequisites section - Removed instructions to install the Auth/Proxy that implicitly applied to all scopes - Misc style/grammar/clarity edits BPF Session Recording - Add scoped tabs - Merge steps 2 and 3, which both involved examining the audit log to verify that Enhanced Session Recording is enabled - Misc style/grammar/clarity tweaks * Respond to PR feedback - Fix style - Flesh out the Node setup section - Add Details about file-based event logs * Respond to PR feedback Restore the introductory section with minor copy-edits.
Backports #11381 * Add Teleport Cloud instructions to two guides See #10634 Restricted Sessions for SSH While this already includes a compatibility note, I wanted to ensure that users would only see information relevant to the scope they had selected. Changes made: - Added a tabbed Prerequisites section - Removed instructions to install the Auth/Proxy that implicitly applied to all scopes - Misc style/grammar/clarity edits BPF Session Recording - Add scoped tabs - Merge steps 2 and 3, which both involved examining the audit log to verify that Enhanced Session Recording is enabled - Misc style/grammar/clarity tweaks * Respond to PR feedback - Fix style - Flesh out the Node setup section - Add Details about file-based event logs * Respond to PR feedback Restore the introductory section with minor copy-edits.
* Add Teleport Cloud instructions to two guides See #10634 Restricted Sessions for SSH While this already includes a compatibility note, I wanted to ensure that users would only see information relevant to the scope they had selected. Changes made: - Added a tabbed Prerequisites section - Removed instructions to install the Auth/Proxy that implicitly applied to all scopes - Misc style/grammar/clarity edits BPF Session Recording - Add scoped tabs - Merge steps 2 and 3, which both involved examining the audit log to verify that Enhanced Session Recording is enabled - Misc style/grammar/clarity tweaks * Respond to PR feedback - Fix style - Flesh out the Node setup section - Add Details about file-based event logs * Respond to PR feedback Restore the introductory section with minor copy-edits.
* Add Teleport Cloud instructions to two guides See #10634 Restricted Sessions for SSH While this already includes a compatibility note, I wanted to ensure that users would only see information relevant to the scope they had selected. Changes made: - Added a tabbed Prerequisites section - Removed instructions to install the Auth/Proxy that implicitly applied to all scopes - Misc style/grammar/clarity edits BPF Session Recording - Add scoped tabs - Merge steps 2 and 3, which both involved examining the audit log to verify that Enhanced Session Recording is enabled - Misc style/grammar/clarity tweaks * Respond to PR feedback - Fix style - Flesh out the Node setup section - Add Details about file-based event logs * Respond to PR feedback Restore the introductory section with minor copy-edits.
See #10634
Restricted Sessions for SSH
While this already includes a compatibility note, I wanted to ensure
that users would only see information relevant to the scope they had
selected. Changes made:
Added a tabbed Prerequisites section
Removed instructions to install the Auth/Proxy that implicitly
applied to all scopes
Misc style/grammar/clarity edits
BPF Session Recording
verify that Enhanced Session Recording is enabled