Merge pull request #1303 from BishopFox/audit/log

Add additional details to audit log

server/rpc/rpc-client-logs.go

@@ -36,9 +36,11 @@ import (
 )
 
 var (
+	// ErrInvalidStreamName - Invalid stream name
 	ErrInvalidStreamName = status.Error(codes.InvalidArgument, "Invalid stream name")
-	rpcClientLogs        = log.NamedLogger("rpc", "client-logs")
-	streamNamePattern    = regexp.MustCompile("^[a-z0-9_-]+$")
+
+	rpcClientLogs     = log.NamedLogger("rpc", "client-logs")
+	streamNamePattern = regexp.MustCompile("^[a-z0-9_-]+$")
 )
 
 type LogStream struct {
@@ -72,7 +74,7 @@ func (l *LogStream) Write(data []byte) (int, error) {
 			return n, err
 		}
 		go gzipFile(partFileName)
-		l.logFile, err = os.OpenFile(fileName, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0600)
+		l.logFile, err = os.OpenFile(fileName, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0o600)
 		if err != nil {
 			return n, err
 		}
@@ -129,7 +131,7 @@ func openNewLogStream(logsDir string, stream string) (*LogStream, error) {
 		rpcClientLogs.Warnf("Client console log file already exists: %s", logPath)
 		logPath = filepath.Join(logsDir, filepath.Base(fmt.Sprintf("%s_%s_%s.log", stream, dateTime, randomSuffix(6))))
 	}
-	logFile, err := os.OpenFile(logPath, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0600)
+	logFile, err := os.OpenFile(logPath, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0o600)
 	if err != nil {
 		return nil, err
 	}

server/transport/middleware.go

@@ -30,13 +30,14 @@ import (
 	"github.com/bishopfox/sliver/server/core"
 	"github.com/bishopfox/sliver/server/db"
 	"github.com/bishopfox/sliver/server/log"
-	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
 	grpc_auth "github.com/grpc-ecosystem/go-grpc-middleware/auth"
 	grpc_logrus "github.com/grpc-ecosystem/go-grpc-middleware/logging/logrus"
 	grpc_tags "github.com/grpc-ecosystem/go-grpc-middleware/tags"
 	"github.com/sirupsen/logrus"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/peer"
 	"google.golang.org/grpc/status"
 )
 
@@ -55,14 +56,14 @@ func initMiddleware(remoteAuth bool) []grpc.ServerOption {
 	grpc_logrus.ReplaceGrpcLogger(logrusEntry)
 	if remoteAuth {
 		return []grpc.ServerOption{
-			grpc_middleware.WithUnaryServerChain(
+			grpc.ChainUnaryInterceptor(
 				grpc_auth.UnaryServerInterceptor(tokenAuthFunc),
 				auditLogUnaryServerInterceptor(),
 				grpc_tags.UnaryServerInterceptor(grpc_tags.WithFieldExtractor(grpc_tags.CodeGenRequestFieldExtractor)),
 				grpc_logrus.UnaryServerInterceptor(logrusEntry, logrusOpts...),
 				grpc_logrus.PayloadUnaryServerInterceptor(logrusEntry, deciderUnary),
 			),
-			grpc_middleware.WithStreamServerChain(
+			grpc.ChainStreamInterceptor(
 				grpc_auth.StreamServerInterceptor(tokenAuthFunc),
 				grpc_tags.StreamServerInterceptor(grpc_tags.WithFieldExtractor(grpc_tags.CodeGenRequestFieldExtractor)),
 				grpc_logrus.StreamServerInterceptor(logrusEntry, logrusOpts...),
@@ -71,14 +72,14 @@ func initMiddleware(remoteAuth bool) []grpc.ServerOption {
 		}
 	} else {
 		return []grpc.ServerOption{
-			grpc_middleware.WithUnaryServerChain(
+			grpc.ChainUnaryInterceptor(
 				grpc_auth.UnaryServerInterceptor(serverAuthFunc),
 				auditLogUnaryServerInterceptor(),
 				grpc_tags.UnaryServerInterceptor(grpc_tags.WithFieldExtractor(grpc_tags.CodeGenRequestFieldExtractor)),
 				grpc_logrus.UnaryServerInterceptor(logrusEntry, logrusOpts...),
 				grpc_logrus.PayloadUnaryServerInterceptor(logrusEntry, deciderUnary),
 			),
-			grpc_middleware.WithStreamServerChain(
+			grpc.ChainStreamInterceptor(
 				grpc_auth.StreamServerInterceptor(serverAuthFunc),
 				grpc_tags.StreamServerInterceptor(grpc_tags.WithFieldExtractor(grpc_tags.CodeGenRequestFieldExtractor)),
 				grpc_logrus.StreamServerInterceptor(logrusEntry, logrusOpts...),
@@ -184,10 +185,12 @@ func codeToLevel(code codes.Code) logrus.Level {
 }
 
 type auditUnaryLogMsg struct {
-	Request string `json:"request"`
-	Method  string `json:"method"`
-	Session string `json:"session,omitempty"`
-	Beacon  string `json:"beacon,omitempty"`
+	Request  string `json:"request"`
+	Method   string `json:"method"`
+	Session  string `json:"session,omitempty"`
+	Beacon   string `json:"beacon,omitempty"`
+	RemoteIP string `json:"remote_ip"`
+	User     string `json:"user"`
 }
 
 func auditLogUnaryServerInterceptor() grpc.UnaryServerInterceptor {
@@ -203,10 +206,14 @@ func auditLogUnaryServerInterceptor() grpc.UnaryServerInterceptor {
 			middlewareLog.Errorf("Middleware failed to insert details: %s", err)
 		}
 
+		p, _ := peer.FromContext(ctx)
+
 		// Construct Log Message
 		msg := &auditUnaryLogMsg{
-			Request: string(rawRequest),
-			Method:  info.FullMethod,
+			Request:  string(rawRequest),
+			Method:   info.FullMethod,
+			User:     getUser(p),
+			RemoteIP: p.Addr.String(),
 		}
 		if session != nil {
 			sessionJSON, _ := json.Marshal(session)
@@ -225,6 +232,20 @@ func auditLogUnaryServerInterceptor() grpc.UnaryServerInterceptor {
 	}
 }
 
+func getUser(client *peer.Peer) string {
+	tlsAuth, ok := client.AuthInfo.(credentials.TLSInfo)
+	if !ok {
+		return ""
+	}
+	if len(tlsAuth.State.VerifiedChains) == 0 || len(tlsAuth.State.VerifiedChains[0]) == 0 {
+		return ""
+	}
+	if tlsAuth.State.VerifiedChains[0][0].Subject.CommonName != "" {
+		return tlsAuth.State.VerifiedChains[0][0].Subject.CommonName
+	}
+	return ""
+}
+
 func getActiveTarget(rawRequest []byte) (*clientpb.Session, *clientpb.Beacon, error) {
 
 	var activeBeacon *clientpb.Beacon

server/transport/mtls.go

@@ -115,9 +115,6 @@ func getOperatorServerTLSConfig(host string) *tls.Config {
 		Certificates: []tls.Certificate{cert},
 		MinVersion:   tls.VersionTLS13,
 	}
-	if certs.TLSKeyLogger != nil {
-		tlsConfig.KeyLogWriter = certs.TLSKeyLogger
-	}
 
 	return tlsConfig
 }