Prevent "session.start" from being overwritten by "session.exec" #19450
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The `session.exec` event was not being passed through the session recorder, which resulted in said event having an event index of 0. This caused the original `session.start` event which also has an `eid` of 0 to be overwritten by the `session.exec` event. By emitting the `session.exec` event via the same mechanism as the `session.start` event it gets a proper event index and no longer overwrites the `session.start`. Closes #13622
rosstimothy
force-pushed
the
tross/fix_missing_session_start
branch
from
e3c397c to
d3e019a
Compare
zmb3
approved these changes
Dec 17, 2022
| @@ -436,13 +436,14 @@ func emitExecAuditEvent(ctx *ServerContext, cmd string, execErr error) { | |||
| scpEvent.Code = events.SCPDownloadCode | |||
| } | |||
| } | |||
| if err := ctx.srv.EmitAuditEvent(ctx.srv.Context(), scpEvent); err != nil { | |||
There was a problem hiding this comment.
For now I think the best we can do is add a comment.
// use ctx.srv instead of ctx.session to emit the event to ensure that it gets recorded
There was a problem hiding this comment.
Added comments in 70c568e indicating the session emitter is recorded and the context emitter is not.
atburke
approved these changes
Dec 19, 2022
|
@rosstimothy See the table below for backport results.
|
This was referenced Dec 19, 2022
rosstimothy
added a commit
that referenced
this pull request
Dec 19, 2022
) The `session.exec` event was not being passed through the session recorder, which resulted in said event having an event index of 0. This caused the original `session.start` event which also has an `eid` of 0 to be overwritten by the `session.exec` event. By emitting the `session.exec` event via the same mechanism as the `session.start` event it gets a proper event index and no longer overwrites the `session.start`. Closes #13622
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
session.execevent was not being passed through the session recorder, which resulted in said event having an event index of 0. This caused the originalsession.startevent which also has aneidof 0 to be overwritten by thesession.execevent.By emitting the
session.execevent via the same mechanism as thesession.startevent it gets a proper event index and no longer overwrites thesession.start.Closes #13622