SSH Session Recording & Compliance - OnePAM | Record Every SSH Session — Compliance-Ready Audit Trails for Linux Servers

Overview

Why SSH Session Recording Is Essential

Compliance frameworks (SOC 2, HIPAA, PCI DSS, ISO 27001, NIST 800-53) require organizations to log, monitor, and audit privileged access to production systems. SSH sessions are privileged access by definition — yet most organizations have no visibility into what happens inside SSH sessions. Standard SSH logging records connection metadata (who connected, when) but not session content (what commands were executed, what files were accessed). OnePAM provides comprehensive SSH session recording that captures every keystroke, command output, and terminal interaction. Each recording is tied to a verified corporate identity via SAML/OIDC authentication — not just an SSH key fingerprint. Recordings are stored with tamper-proof integrity verification and can be replayed for compliance audits, forensic investigations, and incident response. OnePAM supports both agent-mode recording (captured on the server itself) and gateway-mode recording (captured at the proxy), ensuring coverage for any deployment architecture.

Local Agent Recording

The agent records sessions directly on the server. Captures terminal input/output with microsecond timestamps. Recordings are uploaded to OnePAM for centralized storage and search.

Gateway Recording

The gateway captures sessions at the proxy layer. No server-side recording agent needed. Ideal for servers you cannot install software on. All sessions passing through the gateway are recorded.

SSH Security Risks

Risks of Unrecorded SSH Sessions

Without identity-based SSH access, these risks threaten your servers every day.

Without session recording, insider threats and compromised accounts operate with zero visibility into their SSH activity

SOC 2 Type II auditors increasingly require session-level evidence of privileged access, not just connection logs

HIPAA breach investigations require forensic evidence of what was accessed on servers containing ePHI

PCI DSS Requirement 10 requires logging of all actions by individuals with root or administrative privileges

Incident response teams cannot determine the blast radius of a security incident without SSH session content

The Challenge

SSH Security Challenges

These are the risks organizations face with traditional SSH authentication.

No Session Content Visibility

Standard SSH logging (auth.log, syslog) records connections but not commands. You know who connected but not what they did.

Compliance Evidence Gaps

SOC 2, HIPAA, and PCI DSS auditors ask for evidence of privileged access monitoring. Connection logs alone are insufficient. Session content is needed.

Key-Based Access Anonymity

SSH key fingerprints in logs don't identify the person behind the key. If keys are shared or stolen, attribution is impossible.

Incident Response Blind Spots

When a breach occurs, incident response teams need to know exactly what an attacker did during their SSH sessions. Without recording, this is guesswork.

Third-Party Access Auditing

Contractors, MSPs, and vendors with SSH access operate without oversight. Their sessions need to be recorded and reviewable.

Fragmented Logging

SSH logs are scattered across individual servers. Correlating sessions across a fleet requires log aggregation infrastructure that most organizations lack.

Setup Guide

How OnePAM Records SSH Sessions

Step-by-step guide to deploying identity-based SSH access.

1

Enable Session Recording

Turn on session recording in OnePAM. Choose agent-mode recording, gateway-mode recording, or both.

Agent mode: Records terminal I/O on the server with microsecond timestamps. Gateway mode: Captures the SSH data stream at the proxy. Both modes produce identical playback-ready recordings.

2

Authenticate via Corporate IdP

Users authenticate via SAML/OIDC before SSH sessions begin. Every recording is tied to a verified corporate identity.

Recordings include: authenticated user identity, IdP name, MFA method used, source IP, device fingerprint, and session metadata. No anonymous recordings.

3

Sessions Are Recorded Automatically

Once enabled, all SSH sessions matching your recording policy are captured automatically. No user action required.

Recording policies can be global (all sessions), role-based (only admin sessions), server-based (only production), or time-based (only outside business hours). Users are notified that sessions are being recorded.

4

Tamper-Proof Storage

Recordings are stored with cryptographic integrity verification. Tampering is detectable.

Each recording includes a hash chain that verifies integrity. Recordings can be stored in OnePAM's built-in storage, exported to S3, or sent to your compliance archive.

5

Search, Replay, Export

Search recordings by user, server, time, or command. Replay sessions in real-time or accelerated. Export for compliance audits.

OnePAM's recording player shows terminal output exactly as the user saw it. Search across all recordings for specific commands (e.g., 'rm -rf', 'passwd', 'docker exec'). Generate compliance reports automatically.

Key Benefits

Benefits of SSH Session Recording

What changes when you deploy identity-based SSH access.

Complete Session Visibility

See exactly what happened in every SSH session. Every command, every output, every file interaction — captured and searchable.

100% session content captured

Identity-Verified Recordings

Every recording is tied to a SAML/OIDC-verified corporate identity — not an SSH key fingerprint. Know exactly who did what.

Full identity attribution

SOC 2 / HIPAA / PCI Ready

Session recordings provide the privileged access evidence that auditors require. Export reports for SOC 2 Type II, HIPAA, and PCI DSS audits.

Audit-ready evidence

Incident Response Forensics

Replay attacker sessions to determine exactly what was accessed, modified, or exfiltrated during a security incident.

Forensic-grade evidence

Contractor Oversight

Record every SSH session from contractors, vendors, and third parties. Review their activity without watching over their shoulder.

Full third-party visibility

Tamper-Proof Integrity

Recordings are cryptographically verified. Demonstrate to auditors and legal teams that recordings have not been altered.

Cryptographic integrity verification

SSO Features

SSH SSO Capabilities

Every feature needed for enterprise-grade SSH authentication.

Keystroke-by-keystroke session recording

Terminal output capture with timing data

Real-time and accelerated session replay

Search across all recordings by command or content

Policy-based recording (by role, server, or time)

User notification of active recording

Recording pause for sensitive credential entry

Export to S3, GCS, or compliance archives

Automatic retention policy enforcement

API access for compliance automation

Security

Zero-Day Protection Features

Enterprise-grade security controls for SSH access.

Cryptographic hash chain for tamper detection

WORM-compatible storage integration

Access controls for recording playback

Encryption at rest and in transit

Recording metadata searchable without playback

Real-time alerting on suspicious commands

Integration with DLP for sensitive data detection

Retention policies with legal hold support

Real-World Scenarios

SSH Session Recording Use Cases

Common scenarios where organizations deploy OnePAM SSH SSO.

1

SOC 2 Type II auditors requiring session-level evidence of privileged SSH access with identity verification

2

HIPAA-regulated healthcare company recording SSH sessions to servers containing ePHI for breach investigation readiness

3

PCI DSS cardholder data environment requiring recording of all administrative SSH sessions per Requirement 10

4

Incident response team replaying SSH sessions from a compromised service account to determine data exfiltration scope

5

MSP recording contractor SSH sessions to client servers for accountability and dispute resolution

6

Financial institution recording SSH sessions to trading platform servers for regulatory compliance and internal audit

Frequently Asked Questions

SSH Session Recording & Compliance FAQ

Common questions about SSH SSO and zero-day protection.

Does session recording affect SSH performance?

Recording adds negligible overhead (typically <1% CPU). Terminal responsiveness is indistinguishable from unrecorded sessions. Recordings are compressed and uploaded asynchronously to avoid impacting session performance.

Can users disable recording for specific sessions?

Recording policies are enforced server-side and cannot be bypassed by users. However, administrators can configure recording pause for sensitive credential entry (e.g., entering database passwords) to avoid capturing secrets.

How long are recordings retained?

Retention periods are configurable per policy — from 30 days to indefinite. Legal hold can preserve recordings beyond normal retention periods. Automatic cleanup removes expired recordings per policy.

Can I search for specific commands across all recordings?

Yes. OnePAM indexes all recordings for full-text search. Search for specific commands (e.g., 'rm', 'passwd', 'docker'), file paths, or any terminal content across all recordings. Results include the recording, timestamp, and surrounding context.

Are recordings admissible as legal evidence?

OnePAM recordings include cryptographic integrity verification (hash chains) that demonstrate recordings have not been tampered with. This level of integrity verification supports their use as evidence in legal and regulatory proceedings.

Does recording work with SCP and SFTP?

OnePAM records interactive SSH sessions (terminal sessions). SCP and SFTP file transfers are logged with metadata (source, destination, file size, user identity) but the file content is not captured to avoid excessive storage.

Record Every SSH Session — Compliance-Ready Audit Trails for Linux Servers