syslog-ng-config: add sshlog

Add a facility to log <cmd> as requested by "ssh <host> <cmd>".
Commands are logged by setting the 'ForceCommand "/usr/sbin/sshlog"'
option.in sshd_config.

Interactive sessions, <cmd> is null, are not logged.

Story: 2009109
Task: 42970 Task: 42971
Change-Id: I6de4205b954e4762aa2c6807af297818cd6a9bc1
Signed-off-by: Joe Slater <joe.slater@windriver.com>

syslog-ng-config/centos/syslog-ng-config.spec

@@ -35,8 +35,11 @@ install -d %{buildroot}%{_datadir}/starlingx
 install -D -m644 syslog-ng.conf %{buildroot}%{_datadir}/starlingx/syslog-ng.conf
 install -D -m644 syslog-ng.logrotate %{buildroot}%{_datadir}/starlingx/syslog-ng.logrotate
 install -D -m644 remotelogging.conf %{buildroot}%{_sysconfdir}/syslog-ng/remotelogging.conf
+
 install -d %{buildroot}%{_sbindir}
 install -D -m700 fm_event_syslogger %{buildroot}%{_sbindir}/fm_event_syslogger
+install -D -m755 sshlog %{buildroot}%{_sbindir}/sshlog
+
 install -D -m644 syslog-ng.service %{buildroot}%{_datadir}/starlingx/syslog-ng.service
 
 %post
@@ -67,3 +70,4 @@ ldconfig
 %{_datadir}/starlingx/syslog-ng.logrotate
 %{_datadir}/starlingx/syslog-ng.service
 %{_sbindir}/fm_event_syslogger
+%{_sbindir}/sshlog

syslog-ng-config/files/sshlog

@@ -0,0 +1,49 @@
+#!/usr/bin/python3
+#
+# Copyrights (c) 2021 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# We assume that we are being called because of a command option in
+# ssh authorized_keys for whoever we are.  Where the log goes depends
+# on the configuration of syslog.
+
+# replace bash
+#
+# logger --id=$$ -p user.info SSHLOG: $SHELL \"${SSH_ORIGINAL_COMMAND}\"
+#
+# exec $SHELL -c "${SSH_ORIGINAL_COMMAND}"
+
+import os
+
+try:
+  shell = os.environ['SHELL']
+except:
+  shell = "/bin/sh"
+
+# Do not log interactive session
+#
+try:
+  cmd = os.environ['SSH_ORIGINAL_COMMAND']
+except:
+  os.execl(shell, shell)
+
+import syslog, pwd
+
+try:
+  user = pwd.getpwuid(os.getuid())[0]
+except:
+  user = "unknown"
+
+try:
+  msg = "user=%s cmd='%s'" % (user,cmd)
+  syslog.syslog(syslog.LOG_USER | syslog.LOG_DEBUG, msg)
+except:
+  pass
+
+# execute cmd
+#
+os.execl(shell, shell, "-c", cmd)
+
+

syslog-ng-config/files/syslog-ng.conf

@@ -227,8 +227,8 @@ filter f_newsnotice { facility(news) and filter(f_notice); };
 #filter f_syslog3 { not facility(auth, authpriv, mail) and not filter(f_debug); };
 filter f_syslog   { facility(syslog); };
 filter f_user     { facility(user) and not filter(f_vim) and not filter(f_vim_api)
-                    and not filter(f_vim_webserver) and not match("fmClientCli");
-                    and not program("^(-)?(ba)?(su|sh)$"); };
+                    and not filter(f_sshlog) and not filter(f_bash)
+                    and not filter(f_vim_webserver) and not match("fmClientCli"); };
 filter f_uucp     { facility(uucp); };
 
 #filter f_cnews    { level(notice, err, crit) and facility(news); };
@@ -362,5 +362,16 @@ log { source(s_src); filter(f_crit);    destination(d_console); };
 # Bash log Path
 log { source(s_src); filter(f_bash); destination(d_bash); };
 
+# sshlog definitions
+#
+template t_sshlog {
+  template("${YEAR}-${MONTH}-${DAY}T${HOUR}:${MIN}:${SEC} ${HOST} ${MSGHDR}${MSG}\n");
+  template-escape(no);
+};
+destination d_sshlog { file("/var/log/sshlog.log" template(t_sshlog)); };
+filter f_sshlog { program(".*sshlog$"); };
+log { source(s_src); filter(f_sshlog); destination(d_sshlog); };
+
+
 # Include conf.d files
 @include "/etc/syslog-ng/conf.d/"

syslog-ng-config/files/syslog-ng.logrotate

@@ -87,6 +87,7 @@
 }
 
 /var/log/bash.log
+/var/log/sshlog.log
 {
         nodateext
         size 100M