Commit graph

18 commits

Author SHA1 Message Date
Stéphane Lesimple
41121f7723
fix: proper sqlite log location for invalid realm accounts 2021-01-07 17:20:54 +00:00
Stéphane Lesimple
e8d60810f1
Merge pull request #111 from ovh/perluseall
chore: perl-use-all: dynamically find required modules
2021-01-05 18:51:25 +01:00
Stéphane Lesimple
16323667e2
Merge pull request #106 from ovh/logs
feat: revamp logs
2021-01-05 18:50:25 +01:00
Stéphane Lesimple
8e7fc9b949
chore: perl-use-all: dynamically find required modules 2020-12-31 13:00:00 +00:00
Stéphane Lesimple
a479810d83
feat: revamp logs
All connections and plugin executions emit two logs, an 'open' and
a 'close' log. We now add all the details of the connection to
the 'close' logs, those that were previously only available in the
corresponding 'open' log. This way, it is no longer required to
correlate both logs with their uniqid to have all the data:
the 'close' log should suffice. The 'open' log is still there if
for some reason the 'close' log can't be emitted (kill -9, system
crash, etc.), or if the 'open' and the 'close' log are several
hours, days or months appart.

An additional field "duration" has been added to the 'close' logs,
this represents the number of seconds (with millisecond precision)
the connection lasted.

Two new fields "globalsql" and "accountsql" have been added to the
'open'-type logs. These will contain either "ok" if we successfully
logged to the corresponding log database, "no" if it is disabled,
or "error $aDetailedMessage" if we got an error trying to insert
the row. The 'close'-type log also has the new "accountsql_close"
field, but misses the "globalsql_close" field as we never update
the global database on this event. On the 'close' log, we can also
have the value "missing", indicating that we couldn't update the
access log row in the database, as the corresponding 'open' log
couldn't insert it.

The "ttyrecsize" log field for the 'close'-type logs has been removed,
as it was never completely implemented, and contains bogus data if
ttyrec log rotation occurs. It has also been removed from the sqlite
log databases.

The 'open' and 'close' events are now pushed to our own log files,
in addition to syslog, if logging to those files is enabled (see
``enableGlobalAccesssLog`` and ``enableAccountAccessLog``), previously
the 'close' events were only pushed to syslog.

The /home/osh.log is no longer used for ``enableGlobalAccessLog``, the
global log is instead written to /home/logkeeper/global-log-YYYYMM.log.

The global sql file, enabled with ``enableGlobalSqlLog``, is now
split by year-month instead of by year, to
/home/logkeeper/global-log-YYYYMM.sqlite.
2020-12-29 16:14:50 +00:00
Stéphane Lesimple
81db4b10bb feat: realms: use remote bastion MFA validation information for local policy enforcement 2020-12-25 17:02:54 +01:00
Stéphane Lesimple
16f42221ca
feat: add LC_BASTION_DETAILS envvar 2020-12-21 11:13:46 +00:00
Stéphane Lesimple
a204313af9
feat: accountModify: add --osh-only (closes #97) 2020-12-18 11:04:33 +00:00
Stéphane Lesimple
790802e6da
fix: osh.pl: plugin_config 'disabled' key is a boolean 2020-12-15 10:16:35 +00:00
Thomas SOËTE
2a51a78b54 fix: Enable perl-tidy.sh test
* Move to ubuntu-20.04 runner
* Remove check in dockers tests
2020-11-22 21:37:34 +00:00
Stéphane Lesimple
15cad00c27
fix: osh.pl: validate user and host format 2020-11-20 07:20:51 +00:00
Stéphane Lesimple
8f60646c65
feat: add interactiveModeByDefault option 2020-11-19 12:44:33 +00:00
Stéphane Lesimple
cb02fd2a33 fixes after review 2020-11-17 17:41:32 +01:00
Stéphane Lesimple
1b164c1197 fix typo 2020-11-17 12:55:26 +01:00
Stéphane Lesimple
7085b2d091 fix: osh.pl: fix pamtester use under FreeBSD
Under FreeBSD, users can't read /etc/spwd.db, and there is no helper
for pam_unix.so to validate user passwords, as this is the case under
Linux, so we have to launch pamtester under root so that pam_unix.so
can do its job
2020-11-17 11:29:39 +01:00
Stéphane Lesimple
60cea897f8 enh: osh.pl: replace harcoded selfMFASetupPassword logic by configuration 2020-11-17 11:28:05 +01:00
Stéphane Lesimple
5c72c92bdd
chore: fix typos everywhere 2020-11-05 17:36:17 +00:00
Stéphane Lesimple
fde20136ef
Initial commit 2020-10-20 14:30:27 +00:00