open-ch / log-user-session Goto Github PK

Steps to reproduce:

1. Start log-user-session
2. In it, start tmux
3. Create a horizontal split (^B % by default)
4. Run htop (in the right pane)
5. Observe the left pane getting ruined

Other apps may break too.

Hello,

First, I'd like to say that I've been using log-user-session on hundreds of machines for 5+ years and it's been great. For the majority of this time, the hosts were either physical or VMs and as part of security compliance, local console login was disabled and rarely if ever needed.

Now, many machines have been migrated to AWS EC2's and for some reason or another, the need to use the local EC2 serial console to troubleshoot has come up more often than I care to admit. Is there any way that log-user-session can be used to log sessions other than just ssh? Ideally, any shell that gets opened would get logged (local console, serial console) so that we can be honest when telling auditors that all commands and output is logged.

Thanks for any help and guidance that may be provided; log-user-session is great and I'm hoping there's some way to configure or enhance it to handle this additional scenario.

As I found script, asciinema or log-user-session is not enough for security audit puposes since user typed input is not recorded until it is echoed by shell.
Thus if one issue command 'stty -echo' then all executed command became hidden so user escape security logging!

Do we need total recording of entire input/output by sshd?

I wanted to check the logs for something so I became root and then ran a basic 'grep' on the log files. It matched the log file that was currently created, adding a new line to file which contained the grep command, including the word being grep'ed for. This happened fast enough to be displayed as an additional match for grep, which caused another line to be written and another match to be found and another line to be written and...

The log grew 100x in size in just a few seconds before I manually cancelled the grep.

If this is not fixable, the possibility should be noted in the documentation.

Hi,

Kudos for the nice tool. I have packaged it for Ubuntu en Red Hat and added it to my base install since I was looking for a way to track activity on a shared account based on IP/SSH fingerprint.

For Red Hat SetUID was not Ok and I added the config file. Ubuntu worked as expected but without config file (which you don't need perse)

Red Hat how to:

log-user-session.spec

Name:           log-user-session
Version:        0.7 
Release:        1%{?dist}
Summary:        log-user-session is a program to store the content of a shell session (e.g via ssh) e.g. for auditing purposes. The tool is intended to be started by the ssh server daemon. The log is tamper-proof for non-root users.

License:        MIT 
URL:            https://github.com/open-ch/log-user-session 
Source0:        log-user-session-%{version}.tar.gz

BuildRequires:  autoconf gcc make automake 

%description

%prep
%setup -q

%build
./autogen.sh
%configure
make %{?_smp_mflags}

%install
#make install
rm -rf $RPM_BUILD_ROOT
%make_install
chmod u+s %{buildroot}/usr/bin/log-user-session
mkdir %{buildroot}/etc/
cp /etc/log-user-session.conf %{buildroot}/etc/log-user-session.conf
chmod 600 %{buildroot}/etc/log-user-session.conf

%files
/usr/bin/log-user-session
/usr/share/man/man8/log-user-session.8.gz
/etc/log-user-session.conf
%doc

%changelog

To build

cd SOURCES/
wget https://github.com/open-ch/log-user-session/archive/develop.zip
unzip develop.zip
mv develop/log-user-session-develop/ log-user-session-0.7
tar -czf log-user-session-0.7.tar.gz log-user-session-0.7
echo "LogFile = /var/log/user-session/%h-%u-%y%m%d-%H%M%S-%c-%p.log
LogRemoteCommandData = 1
LogNonInteractiveData = 1" > /etc/log-user-session.conf
rpmbuild -bb ../SPECS/log-user-session.spec

Debian how to:

wget https://github.com/open-ch/log-user-session/archive/develop.zip
unzip develop.zip
mv develop/log-user-session-develop/ log-user-session-0.7
cd log-user-session-0.7/
./autogen.sh
./configure
make
checkinstall 

Is it necessary for this to run setuid? Could it run as a less privileged user and log to the systemd journal instead?

I've started the process of packing this app as a "snap" for easier installation on a number of distros, but the use of setuid trips up one of the security features of the format.

Our security engineer had a look at the solution and this are his remarks.

• Logging can be bypassed if the user uses ‘screen’ or ‘tmux’
  Activity is not recorded
• ANSI code at user output are making logs inoperable
  E.g.: Use of VIM with color syntaxing activated makes the output unreadable. Can be tested, for example, to set an alias with VIM (e.g. ‘rm -rf /’), not possible to track.
• ANSI recording generates enormous log files.
  Color info is not mandatory in the logs

Anything you can agree on and want to remediate?

https://github.com/open-ch/log-user-session/blob/develop/src/log-user-session.c#L212

It seems the "empty_buffer" would be better here.

When a command like tar -xf - is issued over SSH, the lone hyphen appearing at the end of this command indicates that tar is expecting its input from stdin.

How to log the input to this unusual command with log-user-session so I can capture this stdin input and convert it to a .tar file for future analysis ?

Also, I am having problems monitoring the I/O of the command scp -pf.
BTW: the "undocumented" -f switch is described in section 3.8.1 here.

After a clean install and login, the user logging in is greeted with this:

using default configuration
/etc/log-user-session.conf: No such file or directory

I thought this might just happen on the first login, but it happens on every login.

I tried just "touch"'ing the named file, but that just caused a different error. Apparently an empty file is not valid:

error while parsing configuration file /etc/log-user-session.conf:

Finally, I copied the defaults from the documentation and put them in the file. Since the defaults were used, the configuration was the same, but now there's no extra ouput when logging in.

It would be nice if the configuration file was created during installation to avoid these warnings.

Thanks!

I'm calling a menu from .bashrc using exec command. Seems like log-user-session does not start at all, no file is generated in this case.

Hi,

There are a few segmentation fault in the /var/log/messages log. How can I debug this problem?

Apr  4 05:00:12 test-f kernel: log-user-sessio[66297]: segfault at 0 ip 0000000000402669 sp 00007ffe203fb570 error 4 in log-user-session[400000+5000]
Apr  4 05:02:03 test-f kernel: log-user-sessio[66448]: segfault at 0 ip 0000000000402669 sp 00007ffe28fff010 error 4 in log-user-session[400000+5000]
Apr  4 05:07:23 test-f kernel: log-user-sessio[66951]: segfault at 0 ip 0000000000402669 sp 00007fff400137d0 error 4 in log-user-session[400000+5000]

With the default LogFile name, it seems that two sessions would rarely (or never) try to write to the same log at the same time.

However, the log file might be changed to /var/log/user-session.log to simplify file location. In that case, every session would try to write the same file. Will this case cause a problem either because only session can write to the file at a time, or with data loss with two sessions trying to write to the same log at the same time?

I have log-session-session running on a Ubuntu 22.04 server. (OpenSSH 8.9p1) I can SSH to it fine and see from the logging that log-user-session is working. But if I try to use ansible to connect via ssh with the same user to the same host, log-user-session reliably crashes. This can be reproduced with the simple Ansible ping command:

ansible -m ping -vvv bastion-new

By turning on debug logging, you can see exactly how the SSH connection is different. It uses these args:

ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o 'ControlPath="/home/mark/.ansible/cp/c366ed7860"' bastion-new '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''

On the server side, this logging is produced:

Feb 21 18:40:52 bastion.example.com kernel: log-user-sessio[130612]: segfault at 0 ip 00005555ba61faeb sp 00007ffde2562d48 error 4 in log-user-session[5555ba61e000+4000]

I'm wondering if there's an easy fix or another alternative to this project I should be considering to secure my bastion hosts a bit more.

I'd like to use this on bastion host, where the common use case is that users transparently ssh /through/ the machine. A client configuration might look like this:

Host target-host
     ProxyCommand ssh --W %h:%p bastion

This currently generates no logging on the bastion host where log-user-session is installed when I expected it would. I tried installing it both in the main sshd_config file as well as the authorized_keys file for a user, with the same result.

Compiled the project with default settings. Then updated sshd_config by addint "ForceCommand log-user-session" to the tail; and also created /etc/log-user-session.conf with one single line:
LogFile = /var/log/user-session/%h-%u-%y%m%d-%H%M%S-%c-%p.log

Everything looks fine, except SFTP. I'm using mobaxterm. It doesn't show files/folders in the remote machine.

SFTP works well again after "ForceCommand log-user-session" was disabled.

Hope someone can tell how to fix it. Thanks.