diff --git a/syslog-ng-config/centos/syslog-ng-config.spec b/syslog-ng-config/centos/syslog-ng-config.spec index c2d0d8b..930ac3c 100644 --- a/syslog-ng-config/centos/syslog-ng-config.spec +++ b/syslog-ng-config/centos/syslog-ng-config.spec @@ -35,8 +35,11 @@ install -d %{buildroot}%{_datadir}/starlingx install -D -m644 syslog-ng.conf %{buildroot}%{_datadir}/starlingx/syslog-ng.conf install -D -m644 syslog-ng.logrotate %{buildroot}%{_datadir}/starlingx/syslog-ng.logrotate install -D -m644 remotelogging.conf %{buildroot}%{_sysconfdir}/syslog-ng/remotelogging.conf + install -d %{buildroot}%{_sbindir} install -D -m700 fm_event_syslogger %{buildroot}%{_sbindir}/fm_event_syslogger +install -D -m755 sshlog %{buildroot}%{_sbindir}/sshlog + install -D -m644 syslog-ng.service %{buildroot}%{_datadir}/starlingx/syslog-ng.service %post @@ -67,3 +70,4 @@ ldconfig %{_datadir}/starlingx/syslog-ng.logrotate %{_datadir}/starlingx/syslog-ng.service %{_sbindir}/fm_event_syslogger +%{_sbindir}/sshlog diff --git a/syslog-ng-config/files/sshlog b/syslog-ng-config/files/sshlog new file mode 100755 index 0000000..5e25df3 --- /dev/null +++ b/syslog-ng-config/files/sshlog @@ -0,0 +1,49 @@ +#!/usr/bin/python3 +# +# Copyrights (c) 2021 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +# We assume that we are being called because of a command option in +# ssh authorized_keys for whoever we are. Where the log goes depends +# on the configuration of syslog. + +# replace bash +# +# logger --id=$$ -p user.info SSHLOG: $SHELL \"${SSH_ORIGINAL_COMMAND}\" +# +# exec $SHELL -c "${SSH_ORIGINAL_COMMAND}" + +import os + +try: + shell = os.environ['SHELL'] +except: + shell = "/bin/sh" + +# Do not log interactive session +# +try: + cmd = os.environ['SSH_ORIGINAL_COMMAND'] +except: + os.execl(shell, shell) + +import syslog, pwd + +try: + user = pwd.getpwuid(os.getuid())[0] +except: + user = "unknown" + +try: + msg = "user=%s cmd='%s'" % (user,cmd) + syslog.syslog(syslog.LOG_USER | syslog.LOG_DEBUG, msg) +except: + pass + +# execute cmd +# +os.execl(shell, shell, "-c", cmd) + + diff --git a/syslog-ng-config/files/syslog-ng.conf b/syslog-ng-config/files/syslog-ng.conf index f7bbd87..e40e6fd 100644 --- a/syslog-ng-config/files/syslog-ng.conf +++ b/syslog-ng-config/files/syslog-ng.conf @@ -227,8 +227,8 @@ filter f_newsnotice { facility(news) and filter(f_notice); }; #filter f_syslog3 { not facility(auth, authpriv, mail) and not filter(f_debug); }; filter f_syslog { facility(syslog); }; filter f_user { facility(user) and not filter(f_vim) and not filter(f_vim_api) - and not filter(f_vim_webserver) and not match("fmClientCli"); - and not program("^(-)?(ba)?(su|sh)$"); }; + and not filter(f_sshlog) and not filter(f_bash) + and not filter(f_vim_webserver) and not match("fmClientCli"); }; filter f_uucp { facility(uucp); }; #filter f_cnews { level(notice, err, crit) and facility(news); }; @@ -362,5 +362,16 @@ log { source(s_src); filter(f_crit); destination(d_console); }; # Bash log Path log { source(s_src); filter(f_bash); destination(d_bash); }; +# sshlog definitions +# +template t_sshlog { + template("${YEAR}-${MONTH}-${DAY}T${HOUR}:${MIN}:${SEC} ${HOST} ${MSGHDR}${MSG}\n"); + template-escape(no); +}; +destination d_sshlog { file("/var/log/sshlog.log" template(t_sshlog)); }; +filter f_sshlog { program(".*sshlog$"); }; +log { source(s_src); filter(f_sshlog); destination(d_sshlog); }; + + # Include conf.d files @include "/etc/syslog-ng/conf.d/" diff --git a/syslog-ng-config/files/syslog-ng.logrotate b/syslog-ng-config/files/syslog-ng.logrotate index 2bb71fe..919184b 100644 --- a/syslog-ng-config/files/syslog-ng.logrotate +++ b/syslog-ng-config/files/syslog-ng.logrotate @@ -87,6 +87,7 @@ } /var/log/bash.log +/var/log/sshlog.log { nodateext size 100M