ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-02-27 00:54:26 +08:00
Code Issues Projects Releases Packages Wiki Activity
338 commits 8 branches 50 tags 9.7 MiB
Commit graph

132 commits

Author SHA1 Message Date
Stéphane Lesimple
efe3710e4c feat: groupList/accountList: add --include --exclude 2021-01-21 15:56:59 +01:00
Stéphane Lesimple
148d5206e5 enh: rootListIngressKeys: look for all well-known authkeys files 2021-01-21 15:06:27 +01:00
Stéphane Lesimple
69778815bb enh: groupList: use cache to speedup calls 
On bastions with thousands of group, the speedup is ~x10
 2021-01-20 14:01:55 +01:00
Stéphane Lesimple
141791db92 fix: scripts: (( )) returns 1 if evaluated to zero 2021-01-15 16:13:30 +01:00
Stéphane Lesimple
d04b15a19e fix: tocttou in ttyrec rotation script 2021-01-14 17:19:48 +01:00
Stéphane Lesimple
361c6a37a2 fix: osh-lingering-sessions-reaper.sh: tocttou on kill could terminate the script early 2021-01-14 17:16:31 +01:00
Pierre Kuhner
e7e045a40d fix: confusing error messages in groupDelServer 2021-01-14 09:40:55 +01:00
Stéphane Lesimple
1129850771 fix: global-log: directly set proper perms on file creation 2021-01-12 12:05:20 +01:00
Stéphane Lesimple
1676979913 feat: add PIV keys support and policy enforcement 
A new global option 'ingressRequirePIV' was added, to enable or disable a
bastion-wide policy forcing everybody to use only PIV keys.
 2021-01-12 12:05:06 +01:00
Stéphane Lesimple
62d6393d56 feat: add yubico-piv-checker install script 2021-01-12 12:05:06 +01:00
Stéphane Lesimple
41121f7723
fix: proper sqlite log location for invalid realm accounts 2021-01-07 17:20:54 +00:00
Stéphane Lesimple
e8d60810f1
Merge pull request #111 from ovh/perluseall 
chore: perl-use-all: dynamically find required modules
 2021-01-05 18:51:25 +01:00
Stéphane Lesimple
b4f32d5afe
Merge pull request #110 from ovh/aclbackup 
enh: satellite scripts: better error handling
 2021-01-05 18:51:09 +01:00
Stéphane Lesimple
16323667e2
Merge pull request #106 from ovh/logs 
feat: revamp logs
 2021-01-05 18:50:25 +01:00
Stéphane Lesimple
8e7fc9b949
chore: perl-use-all: dynamically find required modules 2020-12-31 13:00:00 +00:00
Stéphane Lesimple
9a10ddebd9
enh: satellite scripts: better error handling 2020-12-31 12:13:20 +00:00
Stéphane Lesimple
a479810d83
feat: revamp logs 
All connections and plugin executions emit two logs, an 'open' and
a 'close' log. We now add all the details of the connection to
the 'close' logs, those that were previously only available in the
corresponding 'open' log. This way, it is no longer required to
correlate both logs with their uniqid to have all the data:
the 'close' log should suffice. The 'open' log is still there if
for some reason the 'close' log can't be emitted (kill -9, system
crash, etc.), or if the 'open' and the 'close' log are several
hours, days or months appart.

An additional field "duration" has been added to the 'close' logs,
this represents the number of seconds (with millisecond precision)
the connection lasted.

Two new fields "globalsql" and "accountsql" have been added to the
'open'-type logs. These will contain either "ok" if we successfully
logged to the corresponding log database, "no" if it is disabled,
or "error $aDetailedMessage" if we got an error trying to insert
the row. The 'close'-type log also has the new "accountsql_close"
field, but misses the "globalsql_close" field as we never update
the global database on this event. On the 'close' log, we can also
have the value "missing", indicating that we couldn't update the
access log row in the database, as the corresponding 'open' log
couldn't insert it.

The "ttyrecsize" log field for the 'close'-type logs has been removed,
as it was never completely implemented, and contains bogus data if
ttyrec log rotation occurs. It has also been removed from the sqlite
log databases.

The 'open' and 'close' events are now pushed to our own log files,
in addition to syslog, if logging to those files is enabled (see
``enableGlobalAccesssLog`` and ``enableAccountAccessLog``), previously
the 'close' events were only pushed to syslog.

The /home/osh.log is no longer used for ``enableGlobalAccessLog``, the
global log is instead written to /home/logkeeper/global-log-YYYYMM.log.

The global sql file, enabled with ``enableGlobalSqlLog``, is now
split by year-month instead of by year, to
/home/logkeeper/global-log-YYYYMM.sqlite.
 2020-12-29 16:14:50 +00:00
Stéphane Lesimple
2cfde997f3 fix: realmDelete: bad sudoers configuration 2020-12-25 17:02:54 +01:00
Stéphane Lesimple
81db4b10bb feat: realms: use remote bastion MFA validation information for local policy enforcement 2020-12-25 17:02:54 +01:00
Stéphane Lesimple
16f42221ca
feat: add LC_BASTION_DETAILS envvar 2020-12-21 11:13:46 +00:00
Stéphane Lesimple
a204313af9
feat: accountModify: add --osh-only (closes #97) 2020-12-18 11:04:33 +00:00
Stéphane Lesimple
03ad1da046
chore: perlcritic: including forgotten .inc files 2020-12-15 17:18:37 +00:00
Stéphane Lesimple
a676692fe6
chore: fix an error message 2020-12-15 13:57:58 +00:00
Stéphane Lesimple
fdb786d62c
Merge pull request #89 from ovh/dev/aleblanc/bin-helper-osh-account-delete 
fix: osh-accountDelete: fix typo
 2020-12-15 12:14:19 +01:00
Stéphane Lesimple
790802e6da
fix: osh.pl: plugin_config 'disabled' key is a boolean 2020-12-15 10:16:35 +00:00
Antoine Leblanc
82f2c96ea6
fix: osh-accountDelete: fix typo 
Signed-off-by: Antoine Leblanc <antoine.leblanc@ovhcloud.com>
 2020-12-14 21:49:32 +01:00
Stéphane Lesimple
e2186978da
fix: sudogen: don't check for account/groups validity too much when deleting them 
Fixes #86
 2020-12-14 09:19:03 +00:00
Stéphane Lesimple
c68b696702
chore: shellcheck & perltidy 2020-12-08 14:42:31 +00:00
Stéphane Lesimple
7707b1c351
fix: osh-groupCreate: fix for centos 8.3 2020-12-08 14:42:27 +00:00
Stéphane Lesimple
457a8fae82
chore: packages-check: remove unused packages 2020-12-08 14:27:38 +00:00
Stéphane Lesimple
dca45a44c5
chore: fix latest centos 8 release, add tests for last 3 minors 2020-12-08 14:27:13 +00:00
Stéphane Lesimple
c4d2cea3b0
fix: packages-check: centos8: handle new repo names 2020-12-08 10:54:57 +00:00
Stéphane Lesimple
8276f3878d
Merge pull request #76 from ovh/fixsudoers 
fix: sudogen: handle '.' and OS-specific templates correctly
 2020-12-04 14:38:02 +01:00
thibault.dewailly
1e32cfde7d osh-encrypt-rsync: Remove logfile as mandatory parameter 2020-12-04 10:03:18 +00:00
Stéphane Lesimple
50c016be10
fix: sudogen: properly handle accounts & groups containing '.' 2020-12-03 13:20:53 +00:00
Stéphane Lesimple
526a5d0389
fix: sudogen: proper detection of OS-specific templates 2020-12-03 13:20:53 +00:00
Thomas Soëte
9647ae9cdb
fix: Fix 'selfAddPersonalAccess' helptext 2020-12-01 15:53:57 +01:00
Stéphane Lesimple
4cb09a9570
nh: remove hardcoded .ssh/authorized_keys2 everywhere 2020-11-26 18:08:03 +00:00
Stéphane Lesimple
71cd9a46df
Merge branch 'master' into autocompletion 2020-11-23 14:26:46 +01:00
Stéphane Lesimple
9fb6b8d444
enh: accountCreate: handle --uid-auto in autocompletion rules 2020-11-23 11:29:52 +00:00
Thomas SOËTE
ef531308d5 enh: doc: add from parameter as it is mandatory 2020-11-23 11:28:15 +00:00
Stéphane Lesimple
f07e00b1e9
Merge branch 'master' into adminSudo 2020-11-23 10:05:11 +01:00
Stéphane Lesimple
e2a64a9d8f
enh: adminSudo: better autocompletion rules 2020-11-23 08:35:28 +00:00
Thomas SOËTE
2a51a78b54 fix: Enable perl-tidy.sh test 
* Move to ubuntu-20.04 runner
* Remove check in dockers tests
 2020-11-22 21:37:34 +00:00
Stéphane Lesimple
d0e7e9046b
enh: httpproxy: add informational headers to the egress side request 2020-11-20 10:22:08 +00:00
Stéphane Lesimple
15cad00c27
fix: osh.pl: validate user and host format 2020-11-20 07:20:51 +00:00
Stéphane Lesimple
396e0d2d32
Merge branch 'master' into backupfix 2020-11-19 17:46:42 +01:00
Stéphane Lesimple
5d3de83e50
fix: osh-encrypt-rsync.pl: allow more broad chars to avoid letting weird-named files behind 2020-11-19 16:34:20 +00:00
Stéphane Lesimple
e907532447
fix: osh-backup-acl-keys.sh: don't exclude .gpg, or we'll miss /root/.gnupg/secring.gpg 2020-11-19 16:33:43 +00:00
Stéphane Lesimple
8f60646c65
feat: add interactiveModeByDefault option 2020-11-19 12:44:33 +00:00
Stéphane Lesimple
d6be60e4a2
Merge branch 'master' into centos 2020-11-18 11:24:18 +01:00
Stéphane Lesimple
60d0f12018
Merge branch 'master' into freebsd 2020-11-18 11:22:31 +01:00
Stéphane Lesimple
1a5404cf75
Merge branch 'master' into sort-selfListSessions-output 2020-11-18 11:20:12 +01:00
Thomas SOËTE
632076565e Fix sort of the list of past sessions 2020-11-18 09:50:56 +00:00
Stéphane Lesimple
4fd24a3dbc
enh: install: freebsd: check whether acls are enabled 2020-11-18 09:37:31 +00:00
Stéphane Lesimple
231c62b581
feat: install: add SELinux module for TOTP MFA 
Fixes #26
 2020-11-18 09:35:19 +00:00
Stéphane Lesimple
615f26af8b enh: freebsd: use ttyrec prebuild static version 2020-11-17 21:04:22 +01:00
Stéphane Lesimple
cb02fd2a33 fixes after review 2020-11-17 17:41:32 +01:00
Stéphane Lesimple
1b164c1197 fix typo 2020-11-17 12:55:26 +01:00
Stéphane Lesimple
0b0200951e enh: sudoers: support per-OS templates, add one for FreeBSD 2020-11-17 11:31:34 +01:00
Stéphane Lesimple
7085b2d091 fix: osh.pl: fix pamtester use under FreeBSD 
Under FreeBSD, users can't read /etc/spwd.db, and there is no helper
for pam_unix.so to validate user passwords, as this is the case under
Linux, so we have to launch pamtester under root so that pam_unix.so
can do its job
 2020-11-17 11:29:39 +01:00
Stéphane Lesimple
60cea897f8 enh: osh.pl: replace harcoded selfMFASetupPassword logic by configuration 2020-11-17 11:28:05 +01:00
Stéphane Lesimple
ee81bd4070 enh: packages-check.sh: better handling of FreeBSD packagees 2020-11-17 11:27:46 +01:00
Stéphane Lesimple
7ee203aa71 enh: install-ttyrec.h: error msg for non-supported OSes 2020-11-17 11:19:50 +01:00
Stéphane Lesimple
9f1a8b925e enh: install: better handling of non-Linux standard paths 2020-11-17 11:17:17 +01:00
Stéphane Lesimple
234dd0768a feat: freebsd: add specific FreeBSD ssh config templates 2020-11-17 11:15:10 +01:00
Stéphane Lesimple
09bd6dffd9 fix: freebsd: add md5sum_compat() 
to account for systems where md5sum's binary name is gmd5sum
 2020-11-17 11:14:34 +01:00
Stéphane Lesimple
4105c10193 fix: freebsd: replace 'root' by '0' so that it works even if uid0's name is not root 2020-11-17 11:12:53 +01:00
Stéphane Lesimple
811b2f9c15
Merge branch 'master' into master 2020-11-13 18:52:30 +01:00
Stéphane Lesimple
418dc3a332 feat: add more archs to dockerhub sandbox 2020-11-13 18:38:53 +01:00
snk33
7685114cfd
allow adminSudo plugin to read from stdin 
add expects_stdin to the execute call so an admin will be able to replay session from another account
 2020-11-13 18:35:40 +01:00
Stéphane Lesimple
cfef70daef
chore: install-ttyrec.sh: adapt for multiarch 2020-11-09 16:47:57 +00:00
Stéphane Lesimple
5c72c92bdd
chore: fix typos everywhere 2020-11-05 17:36:17 +00:00
Stéphane Lesimple
619000fa84
enh: install-ttyrec.sh replaces build-and-install-ttyrec.sh 
No longer build ttyrec inplace, either download and install the
Debian/RPM package, or install the prebuild static binaries.

Modify the Dockerfiles accordingly.
 2020-11-05 09:56:05 +00:00
Stéphane Lesimple
202790367d enh: packages-check.sh: add qrencode-libs for rhel/centos 
This enables direct printing of the qrcode on the terminal for TOTP enrollment
 2020-11-01 19:45:42 +01:00
Thomas Soëte
9a23c1ce6a
Add missing dev package 
Install shellcheck too

Signed-off-by: Thomas SOËTE <github@alkorin.fr>
 2020-10-26 19:05:01 +01:00
Stéphane Lesimple
d3a7818046
Merge pull request #10 from ovh/issue-8 
fix: accountModify is master-only
 2020-10-22 12:26:53 +02:00
Stéphane Lesimple
4b8b1457e9
fix: accountModify is master-only 2020-10-22 10:24:14 +00:00
Romain Beuque
cb1e54b42a
clush: change description for --no-pause-on-failure to represent the actual behavior 
Signed-off-by: Romain Beuque <romain.beuque@ovhcloud.com>
 2020-10-22 12:21:29 +02:00
Stéphane Lesimple
e453377245
chore: add some documentation and fix a few comments 2020-10-22 08:12:49 +00:00
Thomas Soëte
e766a54a35 Enhance osh-sync-watcher logs 
With server name and step number
 2020-10-20 16:49:27 +00:00
Stéphane Lesimple
fde20136ef
Initial commit 2020-10-20 14:30:27 +00:00