mirrors/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2026-01-16 05:51:50 +01:00
Code Issues Packages Projects Releases Wiki Activity
tailscale/ssh/tailssh/auditd_linux_test.go
James Tucker 39a61888b8 ssh/tailssh: send audit messages on SSH login (Linux) 
Send LOGIN audit messages to the kernel audit subsystem on Linux
when users successfully authenticate to Tailscale SSH. This provides
administrators with audit trail integration via auditd or journald,
recording details about both the Tailscale user (whois) and the
mapped local user account.

The implementation uses raw netlink sockets to send AUDIT_USER_LOGIN
messages to the kernel audit subsystem. It requires CAP_AUDIT_WRITE
capability, which is checked at runtime. If the capability is not
present, audit logging is silently skipped.

Audit messages are sent to the kernel (pid 0) and consumed by either
auditd (written to /var/log/audit/audit.log) or journald (available
via journalctl _TRANSPORT=audit), depending on system configuration.

Note: This may result in duplicate messages on a system where
auditd/journald audit logs are enabled and the system has and supports
`login -h`. Sadly Linux login code paths are still an inconsistent wild
west so we accept the potential duplication rather than trying to avoid
it.

Fixes #18332

Signed-off-by: James Tucker <james@tailscale.com>
2026-01-05 16:53:05 -08:00

181 lines
4.9 KiB
Go
Raw Permalink Blame History

// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause
//go:build linux && !android
package tailssh
import (
"bufio"
"bytes"
"context"
"encoding/binary"
"fmt"
"os"
"os/exec"
"strings"
"syscall"
"testing"
"time"
)
// maybeWithSudo returns a command with context that may be prefixed with sudo if not running as root.
func maybeWithSudo(ctx context.Context, name string, args ...string) *exec.Cmd {
if os.Geteuid() == 0 {
return exec.CommandContext(ctx, name, args...)
}
sudoArgs := append([]string{name}, args...)
return exec.CommandContext(ctx, "sudo", sudoArgs...)
}
func TestBuildAuditNetlinkMessage(t *testing.T) {
testCases := []struct {
name string
msgType uint16
message string
wantType uint16
}{
{
name: "simple-message",
msgType: auditUserLogin,
message: "op=login acct=test",
wantType: auditUserLogin,
},
{
name: "message-with-quoted-fields",
msgType: auditUserLogin,
message: `op=login hostname="test-host" exe="/usr/bin/tailscaled" ts_user="user@example.com" ts_node="node.tail-scale.ts.net"`,
wantType: auditUserLogin,
},
{
name: "message-with-special-chars",
msgType: auditUserLogin,
message: `op=login hostname="host with spaces" ts_user="user name@example.com" ts_display_name="User \"Quote\" Name"`,
wantType: auditUserLogin,
},
{
name: "long-message-truncated",
msgType: auditUserLogin,
message: string(make([]byte, 2000)),
wantType: auditUserLogin,
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
msg, err := buildAuditNetlinkMessage(tc.msgType, tc.message)
if err != nil {
t.Fatalf("buildAuditNetlinkMessage failed: %v", err)
}
if len(msg) < syscall.NLMSG_HDRLEN {
t.Fatalf("message too short: got %d bytes, want at least %d", len(msg), syscall.NLMSG_HDRLEN)
}
var nlh syscall.NlMsghdr
buf := bytes.NewReader(msg[:syscall.NLMSG_HDRLEN])
if err := binary.Read(buf, binary.NativeEndian, &nlh); err != nil {
t.Fatalf("failed to parse netlink header: %v", err)
}
if nlh.Type != tc.wantType {
t.Errorf("message type: got %d, want %d", nlh.Type, tc.wantType)
}
if nlh.Flags != nlmFRequest {
t.Errorf("flags: got 0x%x, want 0x%x", nlh.Flags, nlmFRequest)
}
if len(msg)%syscall.NLMSG_ALIGNTO != 0 {
t.Errorf("message not aligned: len=%d, alignment=%d", len(msg), syscall.NLMSG_ALIGNTO)
}
payloadLen := int(nlh.Len) - syscall.NLMSG_HDRLEN
if payloadLen < 0 {
t.Fatalf("invalid payload length: %d", payloadLen)
}
payload := msg[syscall.NLMSG_HDRLEN : syscall.NLMSG_HDRLEN+payloadLen]
expectedMsg := tc.message
if len(expectedMsg) > maxAuditMessageLength {
expectedMsg = expectedMsg[:maxAuditMessageLength]
}
if string(payload) != expectedMsg {
t.Errorf("payload mismatch:\ngot: %q\nwant: %q", string(payload), expectedMsg)
}
expectedLen := syscall.NLMSG_HDRLEN + len(payload)
if int(nlh.Len) != expectedLen {
t.Errorf("length field: got %d, want %d", nlh.Len, expectedLen)
}
})
}
}
func TestAuditIntegration(t *testing.T) {
if !hasAuditWriteCap() {
t.Skip("skipping: CAP_AUDIT_WRITE not in effective capability set")
}
if _, err := exec.LookPath("journalctl"); err != nil {
t.Skip("skipping: journalctl not available")
}
ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second)
defer cancel()
checkCmd := maybeWithSudo(ctx, "journalctl", "--field", "_TRANSPORT")
var out bytes.Buffer
checkCmd.Stdout = &out
if err := checkCmd.Run(); err != nil {
t.Skipf("skipping: cannot query journalctl transports: %v", err)
}
if !strings.Contains(out.String(), "audit") {
t.Skip("skipping: journald not configured for audit messages, try: systemctl enable systemd-journald-audit.socket && systemctl restart systemd-journald")
}
testID := fmt.Sprintf("tailscale-test-%d", time.Now().UnixNano())
testMsg := fmt.Sprintf("op=test-audit test_id=%s res=success", testID)
followCmd := maybeWithSudo(ctx, "journalctl", "-f", "_TRANSPORT=audit", "--no-pager")
stdout, err := followCmd.StdoutPipe()
if err != nil {
t.Fatalf("failed to get stdout pipe: %v", err)
}
if err := followCmd.Start(); err != nil {
t.Fatalf("failed to start journalctl: %v", err)
}
defer followCmd.Process.Kill()
testLogf := func(format string, args ...any) {
t.Logf(format, args...)
}
sendAuditMessage(testLogf, auditUserLogin, testMsg)
bs := bufio.NewScanner(stdout)
found := false
for bs.Scan() {
line := bs.Text()
if strings.Contains(line, testID) {
t.Logf("found audit log entry: %s", line)
found = true
break
}
}
if err := bs.Err(); err != nil && ctx.Err() == nil {
t.Fatalf("error reading journalctl output: %v", err)
}
if !found {
if ctx.Err() == context.DeadlineExceeded {
t.Errorf("timeout waiting for audit message with test_id=%s", testID)
} else {
t.Errorf("audit message with test_id=%s not found in journald audit log", testID)
}
}
}
Reference in New Issue View Git Blame Copy Permalink