mirror of
https://github.com/ovh/the-bastion.git
synced 2024-09-20 06:55:58 +08:00
feat: add ttyrecStealthStdoutPattern config
Commands that generate a lot of stdout output and are M2M workflows, such as rsync, can now be excluded from ttyrec to avoid filling up drives
This commit is contained in:
parent
fd6850c7ef
commit
f022bd9ac8
|
@ -470,6 +470,10 @@ if ($generateMfaToken && $mfaToken) {
|
|||
"Can't specify both --generate-mfa-token and --mfa-token";
|
||||
}
|
||||
|
||||
if ($tty && $notty) {
|
||||
main_exit OVH::Bastion::EXIT_CONFLICTING_OPTIONS, "tty_notty", "Options -t and -T are mutually exclusive";
|
||||
}
|
||||
|
||||
# if proactive MFA has been requested, do it here, before the code diverts to either
|
||||
# handling interactive session, plugins/osh commands, or a connection request
|
||||
if ($proactiveMfa) {
|
||||
|
@ -1338,11 +1342,18 @@ else {
|
|||
osh_debug("idle_timeout: finally using " . $idleTimeout{$timeout} . " for $timeout");
|
||||
}
|
||||
|
||||
# if $command matches this option, set stealth_stdout for ttyrec
|
||||
my $stealth_stdout = 0;
|
||||
if (my $ttyrecStealthStdoutPattern = OVH::Bastion::config("ttyrecStealthStdoutPattern")->value) {
|
||||
$stealth_stdout = $command =~ $ttyrecStealthStdoutPattern;
|
||||
}
|
||||
|
||||
# adjust the ttyrec cmdline with these parameters
|
||||
$ttyrec_fnret = OVH::Bastion::build_ttyrec_cmdline_part2of2(
|
||||
input => $ttyrec_fnret->value,
|
||||
idleLockTimeout => $idleTimeout{'lock'},
|
||||
idleKillTimeout => $idleTimeout{'kill'}
|
||||
idleKillTimeout => $idleTimeout{'kill'},
|
||||
stealth_stdout => $stealth_stdout,
|
||||
);
|
||||
main_exit(OVH::Bastion::EXIT_TTYREC_CMDLINE_FAILED, "ttyrec_failed", $ttyrec_fnret->msg) if !$ttyrec_fnret;
|
||||
@ttyrec = @{$ttyrec_fnret->value->{'cmd'}};
|
||||
|
|
|
@ -65,6 +65,7 @@ Options to customize how logs should be produced.
|
|||
- `enableAccountSqlLog`_
|
||||
- `ttyrecFilenameFormat`_
|
||||
- `ttyrecAdditionalParameters`_
|
||||
- `ttyrecStealthStdoutPattern`_
|
||||
|
||||
Other ingress policies options
|
||||
------------------------------
|
||||
|
@ -515,6 +516,19 @@ ttyrecAdditionalParameters
|
|||
|
||||
Additional parameters you want to pass to ``ttyrec`` invocation. Useful, for example, to enable on-the-fly compression, disable cheatcodes, or set/unset any other ``ttyrec`` option. This is an ARRAY, not a string.
|
||||
|
||||
.. _ttyrecStealthStdoutPattern:
|
||||
|
||||
ttyrecStealthStdoutPattern
|
||||
**************************
|
||||
|
||||
:Type: ``regex``
|
||||
|
||||
:Default: ``""``
|
||||
|
||||
:Example: ``"^rsync --server .+"``
|
||||
|
||||
When this is set to a non-falsy value, this is expected to be a string that will be converted to a regex which will be matched against a potential remote command specified when connecting through SSH to a remote server. If the regex matches, then we'll instruct ttyrec to NOT record stdout for this session.
|
||||
|
||||
Other ingress policies
|
||||
----------------------
|
||||
|
||||
|
|
|
@ -216,6 +216,13 @@
|
|||
# DEFAULT: []
|
||||
"ttyrecAdditionalParameters": [],
|
||||
#
|
||||
# ttyrecStealthStdoutPattern (regex)
|
||||
#
|
||||
# DESC: When this is set to a non-falsy value, this is expected to be a string that will be converted to a regex which will be matched against a potential remote command specified when connecting through SSH to a remote server. If the regex matches, then we'll instruct ttyrec to NOT record stdout for this session.
|
||||
# EXAMPLE: "^rsync --server .+"
|
||||
# DEFAULT: ""
|
||||
"ttyrecStealthStdoutPattern": "",
|
||||
#
|
||||
##########################
|
||||
# > Other ingress policies
|
||||
# >> Policies applying to the ingress connections
|
||||
|
|
|
@ -1141,8 +1141,6 @@ sub build_ttyrec_cmdline_part1of2 {
|
|||
push @ttyrec, '-v' if $params{'debug'};
|
||||
push @ttyrec, '-T', 'always' if $params{'tty'};
|
||||
push @ttyrec, '-T', 'never' if $params{'notty'};
|
||||
push @ttyrec, '--stealth-stdout' if $params{'stealth_stdout'};
|
||||
push @ttyrec, '--stealth-stderr' if $params{'stealth_stderr'};
|
||||
|
||||
my $fnret = OVH::Bastion::account_config(
|
||||
account => $params{'account'},
|
||||
|
@ -1194,6 +1192,9 @@ sub build_ttyrec_cmdline_part2of2 {
|
|||
}
|
||||
}
|
||||
|
||||
push @cmd, '--stealth-stdout' if $params{'stealth_stdout'};
|
||||
push @cmd, '--stealth-stderr' if $params{'stealth_stderr'};
|
||||
|
||||
my $ttyrecAdditionalParameters = OVH::Bastion::config('ttyrecAdditionalParameters')->value;
|
||||
push @cmd, @$ttyrecAdditionalParameters if @$ttyrecAdditionalParameters;
|
||||
|
||||
|
|
|
@ -162,6 +162,7 @@ sub load_configuration {
|
|||
{name => 'accountExpiredMessage', default => '', validre => qr/^(.*)$/, emptyok => 1},
|
||||
{name => 'fanciness', default => 'full', validre => qr/^((none|boomer)|(basic|millenial)|(full|genz))$/},
|
||||
{name => 'accountExternalValidationProgram', default => '', validre => qr'^([a-zA-Z0-9/$_.-]*)$', emptyok => 1},
|
||||
{name => 'ttyrecStealthStdoutPattern', default => '', validre => qr'^(.{0,4096})$', emptyok => 1},
|
||||
)
|
||||
{
|
||||
if (!$C->{$o->{'name'}} && !$o->{'emptyok'}) {
|
||||
|
|
Loading…
Reference in a new issue