Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disappearing session.start event when using tsh ssh command execution #13622

Closed
pschisa opened this issue Jun 17, 2022 · 1 comment · Fixed by #19450
Closed

Disappearing session.start event when using tsh ssh command execution #13622

pschisa opened this issue Jun 17, 2022 · 1 comment · Fixed by #19450
Labels
audit-log Issues related to Teleports Audit Log bug c-nx Internal Customer Reference

Comments

@pschisa
Copy link
Contributor

pschisa commented Jun 17, 2022

Expected behavior:
Audit logs in general will never be deleted after created.

Current behavior:
The session.start event for a command execution is deleted from the audit log upon completion of the command session.

Bug details:

  • Teleport version = 9.3.3 (cloud hosted)
  • Recreation steps
  1. Execute the following tsh ssh command: tsh ssh -t <user@server> top
  2. Observe in the audit logs the expected session.start event present on all command execution flows is listed (providing the server node labels)
  3. End the top session with q
  4. Observe the audit logs. The session.start event previously in the audit logs has been removed. You can no longer correlate the command execution event to the server labels.
@pschisa pschisa added bug audit-log Issues related to Teleports Audit Log c-nx Internal Customer Reference labels Jun 17, 2022
@pschisa pschisa mentioned this issue Jun 17, 2022
Open
@pschisa
Copy link
Contributor Author

pschisa commented Jun 21, 2022

End user confirmed the event is no longer present via the Go API

I have confirmed in my recreate that the session.start event is present during command executing in DynamoDB and no longer present in the DynamoDB events table after the command is completed with the same session ID

@rosstimothy rosstimothy mentioned this issue Dec 16, 2022
Merged
rosstimothy added a commit that referenced this issue Dec 16, 2022
@rosstimothy
Prevent "session.start" from being overwritten by "session.exec"
d3e019a 
The `session.exec` event was not being passed through the session
recorder, which resulted in said event having an event index of 0.
This caused the original `session.start` event which also has an
`eid` of 0 to be overwritten by the `session.exec` event.

By emitting the `session.exec` event via the same mechanism as the
`session.start` event it gets a proper event index and no longer
overwrites the `session.start`.

Closes #13622
rosstimothy added a commit that referenced this issue Dec 19, 2022
@rosstimothy
Prevent "session.start" from being overwritten by "session.exec" (#19450
6ed5185 
)

* Prevent "session.start" from being overwritten by "session.exec"

The `session.exec` event was not being passed through the session
recorder, which resulted in said event having an event index of 0.
This caused the original `session.start` event which also has an
`eid` of 0 to be overwritten by the `session.exec` event.

By emitting the `session.exec` event via the same mechanism as the
`session.start` event it gets a proper event index and no longer
overwrites the `session.start`.

Closes #13622
github-actions bot pushed a commit that referenced this issue Dec 19, 2022
@rosstimothy
Prevent "session.start" from being overwritten by "session.exec"
51ffbe5 
The `session.exec` event was not being passed through the session
recorder, which resulted in said event having an event index of 0.
This caused the original `session.start` event which also has an
`eid` of 0 to be overwritten by the `session.exec` event.

By emitting the `session.exec` event via the same mechanism as the
`session.start` event it gets a proper event index and no longer
overwrites the `session.start`.

Closes #13622
github-actions bot pushed a commit that referenced this issue Dec 19, 2022
@rosstimothy
Prevent "session.start" from being overwritten by "session.exec"
0802d47 
The `session.exec` event was not being passed through the session
recorder, which resulted in said event having an event index of 0.
This caused the original `session.start` event which also has an
`eid` of 0 to be overwritten by the `session.exec` event.

By emitting the `session.exec` event via the same mechanism as the
`session.start` event it gets a proper event index and no longer
overwrites the `session.start`.

Closes #13622
rosstimothy added a commit that referenced this issue Dec 19, 2022
@rosstimothy
[v10] Prevent "session.start" from being overwritten by "session.exec" (
e09713e 
#19496)

* Prevent "session.start" from being overwritten by "session.exec"

The `session.exec` event was not being passed through the session
recorder, which resulted in said event having an event index of 0.
This caused the original `session.start` event which also has an
`eid` of 0 to be overwritten by the `session.exec` event.

By emitting the `session.exec` event via the same mechanism as the
`session.start` event it gets a proper event index and no longer
overwrites the `session.start`.

Closes #13622
rosstimothy added a commit that referenced this issue Dec 19, 2022
@rosstimothy
[v11] Prevent "session.start" from being overwritten by "session.exec" (
08c2506 
#19497)

* Prevent "session.start" from being overwritten by "session.exec"

The `session.exec` event was not being passed through the session
recorder, which resulted in said event having an event index of 0.
This caused the original `session.start` event which also has an
`eid` of 0 to be overwritten by the `session.exec` event.

By emitting the `session.exec` event via the same mechanism as the
`session.start` event it gets a proper event index and no longer
overwrites the `session.start`.

Closes #13622
rosstimothy added a commit that referenced this issue Dec 19, 2022
@rosstimothy
Prevent "session.start" from being overwritten by "session.exec" (#19450
e166914 
)

The `session.exec` event was not being passed through the session
recorder, which resulted in said event having an event index of 0.
This caused the original `session.start` event which also has an
`eid` of 0 to be overwritten by the `session.exec` event.

By emitting the `session.exec` event via the same mechanism as the
`session.start` event it gets a proper event index and no longer
overwrites the `session.start`.

Closes #13622
rosstimothy added a commit that referenced this issue Dec 21, 2022
@rosstimothy
[v9] Prevent "session.start" from being overwritten by "session.exec" (
dda4160 
…#19499)

The `session.exec` event was not being passed through the session
recorder, which resulted in said event having an event index of 0.
This caused the original `session.start` event which also has an
`eid` of 0 to be overwritten by the `session.exec` event.

By emitting the `session.exec` event via the same mechanism as the
`session.start` event it gets a proper event index and no longer
overwrites the `session.start`.

Closes #13622
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
audit-log Issues related to Teleports Audit Log bug c-nx Internal Customer Reference
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Prevent "session.start" from being overwritten by "session.exec" gravitational/teleport
1 participant
@pschisa