Description of problem: Large enterprise OpenShift customer requires an audit trail to tracks the real individual associated SSH logins into gears. Currently OpenShift relies on default SSH logging which logs the gear UUID for SSH sessions. When using OpenShift for team development, this does not uniquely identify the specific individual initiating the SSH session. Version-Release number of selected component (if applicable): OSE 2.1.4 How reproducible: Very Steps to Reproduce: 1. ssh 53f536676858f1ca79000027.example.com 2. Look in /var/log/secure and /var/log/messages Actual results: Logs show that user 53f536676858f1ca79000027 accessed gear Expected results: Show that jsmith accessed gear Additional info: Will be checking an implementation of this RFE into Github shortly. Impacts broker, node and oo-trap-user
Generated PR #5797
https://github.com/openshift/origin-server/pull/5797 Comments made against the pull request.
PR is ready for testing.
Scott and I will follow up.
Some notes about the current implementation: The login doesn't get logged to /var/log/secure, where entries still look like: Oct 20 17:12:03 ip-10-230-128-154 sshd[27573]: pam_unix(sshd:session): session opened for user 54457a170b1f9cb49200000a by (uid=0) It would probably require a pam module to change this. Login messages from oo-trap-user are logged to /var/log/messages where it is trivial for a logged-in user to spoof these messages as if someone else had logged in after them. For auditing purposes, this isn't quite adequate to catch *all* logins. For a scaled app, the head gear has a key to ssh to all the other gears, which could also be used by a real user to evade auditing. When a non-user key is used, the user name logged is "None": Oct 20 15:26:44 ip-10-230-128-154 oo-trap-user: oo_login: None from: 10.230.128.154 gearUuid=5445601226384b8156000045 cmd=rhcsh ...so a user that managed to obtain the name "None" would evade auditing too. Existing ssh keys in gears created prior to this code change won't have a login attached, so they won't log the user of the ssh key. Only ssh keys that are newly added to a gear after the code change will be auditable this way. I don't know of an existing tool to re-create all ssh keys on the gears from MongoDB. I rebased the original PR and added shell escaping to the login so that you can have usernames like this: Oct 20 17:07:14 ip-10-230-128-154 oo-trap-user: oo_login: John Doe from: 10.230.128.154 gearUuid=544579610b1f9cf43a000001 cmd=rhcsh Oct 20 17:12:03 ip-10-230-128-154 oo-trap-user: oo_login: My Name Ain't Ringo from: 10.230.128.154 gearUuid=54457a170b1f9cb49200000a cmd=rhcsh If all the above is acceptable to the use case, we can go ahead with: https://github.com/openshift/origin-server/pull/5890
Commits pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/bff15c5dd0576ab804978e36688135538185237d oo-trap-user: Add support for OPENSHIFT_LOGIN environment variable This variable, if set, is logged at the time of a gear ssh login to enable auditing according to the actual owner of the ssh key. Bug 1134139 - [RFE] Track real person for gear SSH logins https://bugzilla.redhat.com/show_bug.cgi?id=1134139 https://github.com/openshift/origin-server/commit/1885f07c350c74a1185e7042e8a9aa96d322c159 app container proxy: Add user login to ssh authorized_keys file The OpenShift user login is provided with the ssh key to enable auditing of gear logins according to the actual owner of the ssh key. Bug 1134139 - [RFE] Track real person for gear SSH logins https://bugzilla.redhat.com/show_bug.cgi?id=1134139 https://github.com/openshift/origin-server/commit/fc708a3626a47eab1a23bd69d95d5461e5e36a14 mco agent: Fix single ssh key addition The OpenShift user login is provided with the ssh key to enable auditing of gear logins according to the actual owner of the ssh key. Bug 1134139 - [RFE] Track real person for gear SSH logins https://bugzilla.redhat.com/show_bug.cgi?id=1134139 https://github.com/openshift/origin-server/commit/b353303128faab51b49033527b2278db6938b425 ssh_authorized_keys: shell-escape the login When the login is put into the env var for the command run as the shell, it needs to be escaped so it doesn't become a command itself. Bug 1134139 - [RFE] Track real person for gear SSH logins https://bugzilla.redhat.com/show_bug.cgi?id=1134139 https://github.com/openshift/origin-server/commit/fce17c901fa0dfae2be4d610c53dbf1ca2a2dfb6 ssh keys: remove special logins Users with single-char logins should still be logged, and there doesn't seem to be a good purpose for the special 'S' and 'A' logins. So, they are now removed. Bug 1134139 - [RFE] Track real person for gear SSH logins https://bugzilla.redhat.com/show_bug.cgi?id=1134139 https://github.com/openshift/origin-server/commit/02d72dbb9e5e7a74b374adde36c75945f4593bb6 oo-trap-user: make gear login syslog optional Introduce node.conf setting SYSLOG_GEAR_LOGIN=true so that by default, logging gear logins to syslogs occurs on a new install, but existing nodes and node.conf files don't have this start happening without intervention. Bug 1134139 - [RFE] Track real person for gear SSH logins https://bugzilla.redhat.com/show_bug.cgi?id=1134139
Waiting for new puddle to verify this bug.
Verified and pass on puddle-2-2-2014-10-22 1) For "rhc ssh app or ssh uuid@app", the log name was logged in /var/log/messages tailf /var/log/messages Oct 23 01:25:34 node1 oo-trap-user: oo_login: anli from: 10.3.11.89 gearUuid=5448bb3ce5fed5378b0000ea cmd=rhcsh Oct 23 01:26:04 node1 root[18853]: user-cron-jobs :START: minutely run of all scheduled jobs Oct 23 01:26:04 node1 root[18861]: user-cron-jobs :END: minutely run of all scheduled jobs tailf /var/log/secure Oct 23 01:25:34 node1 sshd[18181]: Accepted publickey for 5448bb3ce5fed5378b0000ea from 10.3.11.89 port 60974 ssh2 Oct 23 01:25:34 node1 sshd[18181]: pam_openshift(sshd:session): pam: default-context=unconfined_u:system_r:openshift_t:s0:c5,c592 selected-context=unconfined_u:system_r:openshift_t:s0:c5,c592 success 1 Oct 23 01:25:34 node1 sshd[18181]: pam_unix(sshd:session): session opened for user 5448bb3ce5fed5378b0000ea by (uid=0) exit "rhc ssh app " tailf /var/log/secure Oct 23 01:27:46 node1 sshd[18194]: Received disconnect from 10.3.11.89: 11: disconnected by user Oct 23 01:27:46 node1 sshd[18181]: pam_unix(sshd:session): session closed for user 5448bb3ce5fed5378b0000ea 2) For scaled app, ssh gears in different node, None was logged tailf /var/log/message Oct 23 01:36:03 node1 root[25294]: user-cron-jobs :START: minutely run of all scheduled jobs Oct 23 01:36:03 node1 root[25302]: user-cron-jobs :END: minutely run of all scheduled jobs Oct 23 01:36:15 node1 dhclient[1038]: DHCPREQUEST on eth0 to 172.16.100.34 port 67 (xid=0x5b5024ce) Oct 23 01:36:15 node1 dhclient[1038]: DHCPACK from 172.16.100.34 (xid=0x5b5024ce) Oct 23 01:36:17 node1 dhclient[1038]: bound to 172.16.100.85 -- renewal in 73 seconds. Oct 23 01:36:35 node1 oo-trap-user: oo_login: None from: 10.3.9.157 gearUuid=5448bd52e5fed51f10000002 cmd=rhcsh
No reason to keep this RFE private
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2014-1796.html