You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: website/content/docs/concepts/auditing.mdx
+77-82Lines changed: 77 additions & 82 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -101,19 +101,40 @@ Any session recording metadata that is attached to the storage bucket is deleted
101
101
The BSR (Boundary Session Recording) defines a hierarchical directory structure of files and a binary file format.
102
102
It contains all the data transmitted between a user and a target during a single session.
103
103
104
-
Boundary creates the top-level directory of the BSR as `<sessionID>.bsr`. This top level directory contains session summary information and subdirectories for connections.
104
+
Boundary creates the top-level directory of the BSR as `<sessionRecordingID>.bsr`. This top level directory contains session summary
105
+
information and subdirectories for connections.
105
106
106
107
A BSR connections directory contains a summary of connections, as well as inbound and outbound requests.
107
108
If you use a multiplexed protocol, there are subdirectories for the channels.
108
109
110
+
Every directory contains a SHA256SUMS and SHA256SUMS.sig file, to be used for cryptographically verifying the contents of
111
+
that directory. The SHA256SUMS file contains rows of file names paired with a checksum for file contents. The
112
+
SHA256SUMS.sign is a copy of the SHA256SUMS file, signed with the BSR’s private key. For more information on verifying a
113
+
session recording, refer to [Validating the integrity of session recordings](/boundary/docs/operations/session-recordings/validate-session-recordings).
114
+
115
+
The example BSR below is for a multiplexed session recording with the ID `sr_iNCdGSREeX`. The session recording contains one connection,
116
+
`cr_3bB78W53Y9`. Connection `cr_3bB78W53Y9` contains two channels, `chr_VUnVuVnITu` and `chr_nITuVUnVuV`.
117
+
The files in each directory are explained in the following sections.
118
+
109
119
```
110
120
└── sr_iNCdGSREeX.bsr
111
121
├── SHA256SUM
112
122
├── SHA256SUM.sig
113
123
├── bsrKey.pub
124
+
├── pubKeyBsrSignature.sign
125
+
├── pubKeySelfSignature.sign
126
+
├── session-meta.json
127
+
├── session-recording-summary.json
128
+
├── session-recording.meta
129
+
├── wrappedBsrKey
130
+
├── wrappedPrivKey
114
131
├── cr_3bB78W53Y9.connection
115
132
│ ├── SHA256SUM
116
133
│ ├── SHA256SUM.sig
134
+
│ ├── connection-recording-summary.json
135
+
│ ├── connection-recording.meta
136
+
│ ├── requests-inbound.data
137
+
│ ├── requests-outbound.data
117
138
│ ├── chr_VUnVuVnITu.channel
118
139
│ │ ├── SHA256SUM
119
140
│ │ ├── SHA256SUM.sig
@@ -132,50 +153,29 @@ If you use a multiplexed protocol, there are subdirectories for the channels.
132
153
│ │ ├── messages-outbound.data
133
154
│ │ ├── requests-inbound.data
134
155
│ │ └── requests-outbound.data
135
-
│ ├── connection-recording-summary.json
136
-
│ ├── connection-recording.meta
137
-
│ ├── requests-inbound.data
138
-
│ └── requests-outbound.data
139
-
├── cr_W53Y93bB78.connection
140
-
│ ├── SHA256SUM
141
-
│ ├── SHA256SUM.sig
142
-
│ ├── chr_uVVuUITnVn.channel
143
-
│ │ ├── SHA256SUM
144
-
│ │ ├── SHA256SUM.sig
145
-
│ │ ├── channel-recording-summary.json
146
-
│ │ ├── channel-recording.meta
147
-
│ │ ├── messages-inbound.data
148
-
│ │ ├── messages-outbound.data
149
-
│ │ ├── requests-inbound.data
150
-
│ │ └── requests-outbound.data
151
-
│ ├── connection-recording-summary.json
152
-
│ ├── connection-recording.meta
153
-
│ ├── requests-inbound.data
154
-
│ └── requests-outbound.data
155
-
├── pubKeyBsrSignature.sign
156
-
├── pubKeySelfSignature.sign
157
-
├── session-meta.json
158
-
├── session-recording-summary.json
159
-
├── session-recording.meta
160
-
├── wrappedBsrKey
161
-
└── wrappedPrivKey
156
+
│ └──
157
+
└──
158
+
159
+
162
160
```
163
161
164
162
### BSR Session folder
165
-
```
166
-
└── sr_iNCdGSREeX.bsr
167
-
├── SHA256SUM
168
-
├── SHA256SUM.sig
169
-
├── bsrKey.pub
170
-
├── cr_3bB78W53Y9.connection
171
-
├── pubKeyBsrSignature.sign
172
-
├── pubKeySelfSignature.sign
173
-
├── session-meta.json
174
-
├── session-recording-summary.json
175
-
├── session-recording.meta
176
-
├── wrappedBsrKey
177
-
└── wrappedPrivKey
178
-
```
163
+
A BSR session folder contains the following files:
164
+
-`SHA256SUM.sig` is a plaintext file that contains rows of file names paired with a checksum for file contents.
165
+
-`SHA256SUM.sig` is a signature of the plaintext `SHA256SUM` file created with the private key.
166
+
-`bsrKey.pub` is the public ed25519 key.
167
+
-`pubKeySelfSignature.sign` is a self-signature of the plaintext public ed25519 key created with its private key.
168
+
-`pubKeyBsrSignature.sign` is a signature of the plaintext public ed25519 key created with the BSR key.
169
+
-`wrappedBsrKey` is the BSR key wrapped by the external KMS AES-GCM key that you configure.
170
+
-`wrappedPrivKey` is the private ed25519 key wrapped by the external KMS AES-GCM key that you configure.
171
+
-`session-meta.json` is a JSON file that contains metadata about the session, including the session id, endpoint,
172
+
user, target, host, worker, and credentials used to access the target. The intention of this file is to provide all information
173
+
relevant to the recorded session so that the BSR provides a complete snapshot of a session even in the absence of the Boundary
174
+
control plane.
175
+
-`session-recording.meta` is a plaintext file that contains metadata about the session, including the session id, protocol,
176
+
and a connection ids. For each connection id listed, there should be a corresponding connection directory in the session directory.
177
+
-`session-recording-summary.json` is a JSON file that contains a summary of the session recording, including the session id, connection count,
178
+
start time, end time, and any errors encountered during recording of the session.
`SHA256SUM` and `SHA256SUM.sig` files are used for cryptographically verifying the contents of this directory.
270
-
For more information on `*.sign`, `bsrKey.pub`, `wrappedBsrKey`, and `wrappedPrivKey` files, refer to [Validating the integrity of session recordings](/boundary/docs/operations/session-recordings/validate-session-recordings).
271
-
272
274
### BSR Connection folder
273
-
274
-
```
275
-
└── cr_W53Y93bB78.connection
276
-
├── SHA256SUM
277
-
├── SHA256SUM.sig
278
-
├── chr_uVVuUITnVn.channel
279
-
├── connection-recording-summary.json
280
-
├── connection-recording.meta
281
-
├── requests-inbound.data
282
-
└── requests-outbound.data
283
-
```
275
+
A BSR connection folder contains the following files:
276
+
-`SHA256SUM.sig` is a plaintext file that contains rows of file names paired with a checksum for file contents.
277
+
-`SHA256SUM.sig` is a signature of the plaintext `SHA256SUM` file created with the private key.
278
+
-`connection-recording.meta` is a plaintext file that contains metadata about the connection, including the connection id,
279
+
requests seen, channel ids, and any errors seen. For each channel id listed, there should be a corresponding channel directory in the connection directory.
280
+
-`connection-recording-summary.json` is a JSON file that contains a summary of the connection, including the connection id,
281
+
start time, end time, bytes up, bytes down, and any errors encountered during recording the connection.
282
+
-`requests-inbound.data` is a binary file containing all inbound SSH request messages transmitted for the connection.
283
+
-`requests-outbound.data` is a binary file containing all outbound SSH request messages transmitted for the connection.
0 commit comments