sshlog / agent Goto Github PK

View Code? Open in Web Editor NEW

428.0 3.0 22.0 1.57 MB

SSH Session Monitoring Daemon

Home Page: http://www.sshlog.com

License: Other

CMake 0.61% Dockerfile 0.01% Shell 0.09% Python 1.36% Makefile 0.01% C 94.94% C++ 2.97%

ebpf monitoring openssh ssh terminal-recording terminal-session terminal-session-recorder terminal-sharing

agent's People

Contributors

Stargazers

Watchers

agent's Issues

After sudo su, user executing the command must be root

Issue here is that if you sudo su, and run some commands after that, they are logged as the initial user before the sudo su command.

for example:

user1 executing sudo su
user1 executing: ls /root

I think it must be

user1 executing sudo su
root executing: ls /root

Lots of disconnect events

I am running ubuntu on an ec2 with only ssh allowed inbound, and when i run sshlog watch I am not seeing any connection attempts, but many connection_close events from ip addresses and high port numbers, like 30000-60000. What might be the reason for this?

Logging if someone jumps through the host

Hi,
I was looking for a tool that would help me log an event when someone uses the server as a proxy to connect to other hosts. It is commonly known that this is a typical vector of hacker activity, so the ability to log such events would be helpful in increasing server security. Unfortunately, apart from examples, I did not find any other triggers that could be used, and I checked that “connection_established” does not log sessions in which someone uses the server as a proxy (jumphost). Any hints?

Adjust README for AUR Package

Hello everyone,

I've developed an AUR package for sshlog tailored for ArchLinux.
You can easily install it using an AUR helper such as yay -S sshlog-bin. The package currently utilizes the Debian build package for arm and amd64, available here: sshlog-bin on AUR.

For manual installation on Arch Linux, follow these steps:

git clone https://aur.archlinux.org/sshlog-bin.git && cd sshlog-bin
makepkg -si

Additionally, I can create a git version that compiles the package if there is a need.

An issue I've encountered is that although joining the sshlog group, my user isn't able to use the daemon without sudo. I'm uncertain whether this is a packaging or software-related problem, so I haven't made any adjustments yet.

It's possible to make a simple adjustment to the package to automatically create the sshlog group if needed.

Best regards.

No root / sudo logs

Hello,

please update the description.

Record all SSH session activity (commands and output) to log files for any connecting user

This application does not log past sudo calls, neither direct root logins.

Drone docker builds fail because of wrong credentials to docker hub

https://drone.sshlog.com/sshlog/agent

ebpf security impact

Hi,
I wanted to raise a concern regarding the security implications of using eBPF with tracepoints in our C application. While this combination provides powerful capabilities for monitoring kernel behavior, there are some risks you need to consider, particularly in terms of security.

One significant issue is that under heavy kernel load, not all tracepoint functions may be executed. This could lead to missed tracepoint or unpredictable behavior in your application, especially if you rely on tracepoints for security-related purposes. Additionally, there's a risk associated with depending on kernel functions that may change or be removed in subsequent OS releases, potentially leading to inconsistencies or errors in our application.

As a result, I suggest we refrain from positioning your product as a security tool per se. While it can be valuable for monitoring and analysis purposes, it should not be considered the sole means of securing a system against threats.

I also recommend considering adding a warning in Readme to alert users to these potential security issues.

Ref1: https://www.brendangregg.com/blog/2023-04-28/ebpf-security-issues.html
Ref2: https://blog.trailofbits.com/2023/09/25/pitfalls-of-relying-on-ebpf-for-security-monitoring-and-some-solutions/

GPG Error - "gpg: no valid OpenPGP data found" during Debian/Ubuntu Install

Description:
I encountered an issue while attempting to install the software on a Debian/Ubuntu system. During the installation process, I received the error message "gpg: no valid OpenPGP data found." This error seems to indicate that there is an issue with the OpenPGP data used in the installation process.

Steps to Reproduce:

Attempted installation on a Debian/Ubuntu system using the provided instructions.
Observed the error message "gpg: no valid OpenPGP data found."
Expected Behavior:
The installation should proceed without any errors, and the software should be successfully installed on the system.

Additional Information:

Operating System: Ubuntu 22.04.2 LTS
Kernel : 5.15.0-1042-azure
Architecture: x86-64
Installation method used: apt-get install

Doesn't work at all

I have installed the package from apt and from the deb file you provided in the Releases menu of github repo.
The installation is smooth and successful. After that when I use sshlog sessions, I can only see two sessions which are not correct and both session's last activity shows the time when the sshlog service was actually started. If I open another ssh session in another terminal or close it it doesn't increase or decrease the number of sessions in sshlog sessions.

Apart from that, when I use sshlog watch, it gives me an empty output even though I run several commands in another terminal while this command is running. The log files in /var/log/sshlog are empty and never generate any output even though I have run several commands. I have kept the configuration files as default and following are my machine's specs

OS : Ubuntu 20.04.6 LTS
OpenSSH Version : 1:8.2p1-4ubuntu0.11
Gnupg version : 2.2.19-3ubuntu2.2
Curl version : 7.68.0-1ubuntu2.21
sshlog version : 1.0.0
Kernel version : 5.4.0-1101-aws

delete

Question: event.log log rotation

do you handle log rotation of the logs generated at the moment?

How you handle that?

Thanks

Conigure problem

when i cmake project, output some error, don't know how to deal

sshlog process using 80% to 90% CPU

Hi there! I encountered an issue, as soon as I install sshlog the CPU usage spikes to between 80% and 90%.
I copied and pasted the instructions for "Debian/Ubuntu Install (arm64 and x86_64)". Here are the details of the OS:

Operating System: Ubuntu 20.04.3 LTS
Kernel: Linux 5.4.0-135-generic
Architecture: x86-64

The instance is a 2 GB Memory / 1 Intel vCPU DigitalOcean droplet, tried it with 2 different servers but got the same results and had to uninstall it immediately.

Lovely program by the way, always wanted something like this.

https://repo.sshlog.com/sshlog-ubuntu/ offline

cannot add the repo, 504 Gateway Time-out [IP: 18.165.242.74 80]

Feature request: Command cwd

Is it possible to extract command cwd and have them in the event?

Error loading Python lib

Hi matthill

I am getting below error. Could you please help to resolve this:

Error loading Python lib '/tmp/_MEIONNbeW/libpython3.8.so.1.0': dlopen: /lib64/libm.so.6: version `GLIBC_2.29' not found (required by /tmp/_MEIONNbeW/libpython3.8.so.1.0).

Error running in LXC container: libbpf: Failed to bump RLIMIT_MEMLOCK (err = -1), you might need to do it explicitly!

Hi, congratulations for sshlog 💯
I'm running sshlog in differents environments properly but I have a problem with sshlog when running inside a LXC container with PROXMOX. (Privileged or unprivileged, nesting or without nesting, with same error result)
I attach the logs below, It's a Debian 12. Thanks in advance and apologize me because it isn't a sshlog issue specific.

# sshlogd
Detected Plugin command_exit_code_filter with fields [{'name': 'filter_arg', 'required': True}]
Detected Plugin command_name_filter with fields [{'name': 'filter_arg', 'required': True}]
Detected Plugin command_name_regex_filter with fields [{'name': 'filter_arg', 'required': True}]
Detected Plugin command_output_contains_filter with fields [{'name': 'filter_arg', 'required': True}]
Detected Plugin command_output_contains_regex_filter with fields [{'name': 'filter_arg', 'required': True}]
Detected Plugin ignore_existing_logins_filter with fields [{'name': 'filter_arg', 'required': True}]
Detected Plugin require_tty_filter with fields [{'name': 'filter_arg', 'required': True}]
Detected Plugin username_filter with fields [{'name': 'filter_arg', 'required': True}]
Detected Plugin username_regex_filter with fields [{'name': 'filter_arg', 'required': True}]
Detected Plugin upload_file_path_filter with fields [{'name': 'filter_arg', 'required': True}]
Detected Plugin upload_file_path_regex_filter with fields [{'name': 'filter_arg', 'required': True}]
Detected Plugin webhook_action with fields [{'name': 'webhook_url', 'required': True}, {'name': 'do_get_request', 'required': False}]
Detected Plugin syslog_action with fields [{'name': 'server_address', 'required': True}, {'name': 'port', 'required': False}, {'name': 'program_name', 'required': False}, {'name': 'udp', 'required': False}, {'name': 'output_json', 'required': False}, {'name': 'facility', 'required': False}, {'name': 'severity', 'required': False}]
Detected Plugin email_action with fields [{'name': 'sender', 'required': True}, {'name': 'recipient', 'required': True}, {'name': 'subject', 'required': True}, {'name': 'body', 'required': True}, {'name': 'smtp_server', 'required': True}, {'name': 'smtp_port', 'required': True}, {'name': 'username', 'required': False}, {'name': 'password', 'required': False}]
Detected Plugin run_command_action with fields [{'name': 'command', 'required': True}, {'name': 'args', 'required': False}, {'name': 'timeout', 'required': False}]
Detected Plugin eventlogfile_action with fields [{'name': 'log_file_path', 'required': True}, {'name': 'output_json', 'required': False}, {'name': 'max_size_mb', 'required': False}, {'name': 'number_of_log_files', 'required': False}]
Detected Plugin slack_action with fields [{'name': 'slack_webhook_url', 'required': True}]
Detected Plugin statsd_action with fields [{'name': 'server_address', 'required': True}, {'name': 'port', 'required': False}, {'name': 'statsd_prefix', 'required': False}]
Detected Plugin sessionlog_action with fields [{'name': 'log_directory', 'required': True}, {'name': 'timestamp_frequency_seconds', 'required': False}]
Reading config file /etc/sshlog/sshlog.yaml
Configuration file /etc/sshlog/sshlog.yaml does not exist.  Skipping
Reading config file /etc/sshlog/conf.d/log_all_sessions.yaml
Reading config file /etc/sshlog/conf.d/log_events.yaml
Initializing event plugin stream_terminal
Initializing filter plugin ignore_existing_logins
Initializing action plugin log_all_sessions
Initialized action log_all_sessions with log directory /var/log/sshlog/sessions/
Initializing event plugin log_general_activity
Initializing filter plugin ignore_existing_logins
Initializing action plugin log_events
Initialized action log_events with log file path /var/log/sshlog/event.log
**libbpf: Failed to bump RLIMIT_MEMLOCK (err = -1), you might need to do it explicitly!**
libbpf: Error in bpf_object__probe_loading():Operation not permitted(1). Couldn't load trivial BPF program. Make sure your kernel supports BPF (CONFIG_BPF_SYSCALL=y) and/or that RLIMIT_MEMLOCK is set to big enough value.
libbpf: failed to load object 'sshtrace_bpf'
libbpf: failed to load BPF skeleton 'sshtrace_bpf': -1
Segmentation fault

~# uname -a
Linux vigor 5.15.74-1-pve #1 SMP PVE 5.15.74-1  x86_64 GNU/Linux

~# systemctl status sshlog
x sshlog.service - SSHLog Agent Service
     Loaded: loaded (/lib/systemd/system/sshlog.service; enabled; preset: enabled)
     Active: failed (Result: signal) since Fri 2023-11-10 15:01:12 UTC; 6min ago
   Duration: 402ms
    Process: 333 ExecStart=/usr/bin/sshlogd --logfile /var/log/sshlog/sshlogd.log (code=killed, signal=SEGV)
   Main PID: 333 (code=killed, signal=SEGV)
        CPU: 387ms

Nov 10 15:01:07 vigor systemd[1]: sshlog.service: Main process exited, code=killed, status=11/SEGV
Nov 10 15:01:07 vigor systemd[1]: sshlog.service: **Failed with result 'signal'.**

Segmentation fault ARM64 Raspberry PI running Kali Linux

Installed sshlog according to instructions.
Try to start the daemon and it fails with SEGV (segmentation fault)

systemctl start sshlog
# systemctl status sshlog
× sshlog.service - SSHLog Agent Service
     Loaded: loaded (/lib/systemd/system/sshlog.service; disabled; preset: disabled)
     Active: failed (Result: signal) since Mon 2023-08-21 11:49:46 UTC; 2s ago
   Duration: 1.494s
    Process: 350961 ExecStart=/usr/bin/sshlogd --logfile /var/log/sshlog/sshlogd.log (code=killed, signal=SEGV)
   Main PID: 350961 (code=killed, signal=SEGV)
        CPU: 1.487s

Aug 21 11:49:46 cerberus systemd[1]: sshlog.service: Scheduled restart job, restart counter is at 5.
Aug 21 11:49:46 cerberus systemd[1]: Stopped sshlog.service - SSHLog Agent Service.
Aug 21 11:49:46 cerberus systemd[1]: sshlog.service: Consumed 1.487s CPU time.
Aug 21 11:49:46 cerberus systemd[1]: sshlog.service: Start request repeated too quickly.
Aug 21 11:49:46 cerberus systemd[1]: sshlog.service: Failed with result 'signal'.
Aug 21 11:49:46 cerberus systemd[1]: Failed to start sshlog.service - SSHLog Agent Service.

Checked the /var/log/sshlog/sshlogd.log but no failures there.

2023-08-21 11:49:14,129 - plugin_manager.py:26 - INFO - Detected Plugin upload_file_path_filter with fields [{'name': 'filter_arg', 'required': True}]
2023-08-21 11:49:14,130 - plugin_manager.py:26 - INFO - Detected Plugin upload_file_path_regex_filter with fields [{'name': 'filter_arg', 'required': True}]
2023-08-21 11:49:14,130 - plugin_manager.py:26 - INFO - Detected Plugin ignore_existing_logins_filter with fields [{'name': 'filter_arg', 'required': True}]
2023-08-21 11:49:14,130 - plugin_manager.py:26 - INFO - Detected Plugin require_tty_filter with fields [{'name': 'filter_arg', 'required': True}]
2023-08-21 11:49:14,130 - plugin_manager.py:26 - INFO - Detected Plugin username_filter with fields [{'name': 'filter_arg', 'required': True}]
2023-08-21 11:49:14,130 - plugin_manager.py:26 - INFO - Detected Plugin username_regex_filter with fields [{'name': 'filter_arg', 'required': True}]
2023-08-21 11:49:14,130 - plugin_manager.py:26 - INFO - Detected Plugin command_exit_code_filter with fields [{'name': 'filter_arg', 'required': True}]
2023-08-21 11:49:14,131 - plugin_manager.py:26 - INFO - Detected Plugin command_name_filter with fields [{'name': 'filter_arg', 'required': True}]
2023-08-21 11:49:14,131 - plugin_manager.py:26 - INFO - Detected Plugin command_name_regex_filter with fields [{'name': 'filter_arg', 'required': True}]
2023-08-21 11:49:14,131 - plugin_manager.py:26 - INFO - Detected Plugin command_output_contains_filter with fields [{'name': 'filter_arg', 'required': True}]
2023-08-21 11:49:14,131 - plugin_manager.py:26 - INFO - Detected Plugin command_output_contains_regex_filter with fields [{'name': 'filter_arg', 'required': True}]
2023-08-21 11:49:14,131 - plugin_manager.py:26 - INFO - Detected Plugin slack_action with fields [{'name': 'slack_webhook_url', 'required': True}]
2023-08-21 11:49:14,131 - plugin_manager.py:26 - INFO - Detected Plugin webhook_action with fields [{'name': 'webhook_url', 'required': True}, {'name': 'do_get_request', 'required': False}]
2023-08-21 11:49:14,132 - plugin_manager.py:26 - INFO - Detected Plugin email_action with fields [{'name': 'sender', 'required': True}, {'name': 'recipient', 'required': True}, {'name': 'subject', 'required': True}, {'name': 'body', 'required': True}, {'name': 'smtp_server', 'required': True}, {'name': 'smtp_port', 'required': True}, {'name': 'username', 'required': False}, {'name': 'password', 'required': False}]
2023-08-21 11:49:14,132 - plugin_manager.py:26 - INFO - Detected Plugin run_command_action with fields [{'name': 'command', 'required': True}, {'name': 'args', 'required': False}, {'name': 'timeout', 'required': False}]
2023-08-21 11:49:14,132 - plugin_manager.py:26 - INFO - Detected Plugin statsd_action with fields [{'name': 'server_address', 'required': True}, {'name': 'port', 'required': False}, {'name': 'statsd_prefix', 'required': False}]
2023-08-21 11:49:14,132 - plugin_manager.py:26 - INFO - Detected Plugin eventlogfile_action with fields [{'name': 'log_file_path', 'required': True}, {'name': 'output_json', 'required': False}, {'name': 'max_size_mb', 'required': False}, {'name': 'number_of_log_files', 'required': False}]
2023-08-21 11:49:14,132 - plugin_manager.py:26 - INFO - Detected Plugin sessionlog_action with fields [{'name': 'log_directory', 'required': True}, {'name': 'timestamp_frequency_seconds', 'required': False}]
2023-08-21 11:49:14,133 - plugin_manager.py:26 - INFO - Detected Plugin syslog_action with fields [{'name': 'server_address', 'required': True}, {'name': 'port', 'required': False}, {'name': 'program_name', 'required': False}, {'name': 'udp', 'required': False}, {'name': 'output_json', 'required': False}, {'name': 'facility', 'required': False}, {'name': 'severity', 'required': False}]
2023-08-21 11:49:14,133 - plugin_manager.py:37 - INFO - Reading config file /etc/sshlog/sshlog.yaml
2023-08-21 11:49:14,133 - plugin_manager.py:39 - WARNING - Configuration file /etc/sshlog/sshlog.yaml does not exist.  Skipping
2023-08-21 11:49:14,133 - plugin_manager.py:37 - INFO - Reading config file /etc/sshlog/conf.d/log_events.yaml
2023-08-21 11:49:14,143 - plugin_manager.py:37 - INFO - Reading config file /etc/sshlog/conf.d/log_all_sessions.yaml
2023-08-21 11:49:14,151 - plugin_manager.py:162 - INFO - Initializing event plugin log_general_activity
2023-08-21 11:49:14,151 - plugin_manager.py:167 - INFO - Initializing filter plugin ignore_existing_logins
2023-08-21 11:49:14,151 - plugin_manager.py:175 - INFO - Initializing action plugin log_events
2023-08-21 11:49:14,151 - eventlogfile_action.py:19 - INFO - Initialized action log_events with log file path /var/log/sshlog/event.log
2023-08-21 11:49:14,153 - plugin_manager.py:162 - INFO - Initializing event plugin stream_terminal
2023-08-21 11:49:14,153 - plugin_manager.py:167 - INFO - Initializing filter plugin ignore_existing_logins
2023-08-21 11:49:14,153 - plugin_manager.py:175 - INFO - Initializing action plugin log_all_sessions
2023-08-21 11:49:14,153 - sessionlog_action.py:53 - INFO - Initialized action log_all_sessions with log directory /var/log/sshlog/sessions/

My configuration:

# uname -a
Linux cerberus 5.15.44-Re4son-v8l+ #1 SMP PREEMPT Debian kali-pi (2022-07-03) aarch64 GNU/Linux
# ssh -V
OpenSSH_9.3p2 Debian-1, OpenSSL 3.0.9 30 May 2023

Remove dash-space prefix from JSON log messages

Is there a specific reason for the dash-space prefix in sshlog's log messages? It's an issue when JSON logs are fed into log collection/processing systems because they recognize the messages as invalid JSON because of that prefix. Could you remove it from the JSON log messages?

thx & best regards
ron

Suggestion to add IP along with username in logs

It might be helpful to have an option to choose to log IP next to the username that run the command, otherwise you have to make manual search for this by the session id to find the ip of the user

Thanks

sshlog / agent Goto Github PK

agent's People

Contributors

Stargazers

Watchers

Forkers

agent's Issues

Recommend Projects

Recommend Topics

Recommend Org