sftp activity logging / Fluent Bit

[Mikko Lehto]

2023-08-31 (Thu) 16:29 UTC -0500  :

> I am setting an openbsd 7.3 stable system to serve files via ssh's sftp
> subsystem.
> 
> Does openssh have a native way to audit what files were
> downloaded/uploaded with user/timestamp information?
> 
> If not, are there any recommendations?


(I think you did not ask suggestions for the log parsing part but here is one 
anyway)

This is what I have come up with Fluent Bit and OpenSSH portable on other OS:
---
[PARSER]
Name my_sftp_receiver
Format regex
Time_Key time
Time_Format %Y-%m-%dT%H:%M:%S.%L%z
Regex ^\<(?[0-9]{1,5})\>(?.+) (?[^ ]*) (?[^ ]+): 
close "(?.+)" bytes read (?.*) written (?.*)$
Types filename:string dlsize:int ulsize:int
---

My use case is to get triggered after succesful upload, so rest of the
Fluent Bit pipeline is set to do output action (HTTP POST) when
variable "ulsize" is greater than 0 and "filename" contains directory
path of special interest.

Hope this helps.

-- 
Mikko

Re: OpenBSD Wireguard implementation not copying ToS from inner to outer WG header

[Andy Lemin]

> On 29 Sep 2023, at 00:09, Sonic  wrote:
> 
> 
> Hopefully not as dumb of a question as I suspect it might be.
> Does the generic...
> =
> match out on $ext_if inet proto tcp from ($ext_if) set prio (3, 7)
> match in  on $ext_if inet proto tcp to ($ext_if) set prio (3, 7)
> =
> ...take advantage of this patch when using wireguard or does the match need 
> to be applied to the wgx interface?

Hi.
I have a generic ‘match’ which does not specify interfaces or direction, and 
which sets prio, tos, and queue on all the important things. 
So yes, like your example but without direction or interface.

And of course use specific interface dependant rules to pass or drop things as 
needed.

Then as packets enter the inside Interface, the prio will be set. And when the 
packet gets to the wg interface, the prio is copied (with this patch), and 
finally the encrypted packet gets pulled out of the outside interface’s queue 
in prio order (there is more going on here, but you can assume prio order).

You will not currently be able to get the encrypted packet into any queue other 
than the ‘default’ queue as the packet tos flags and queue state labels are 
lost during encryption. But now that the prio is copied with this patch, at 
least your ACKs etc will be pulled from the one default queue first.

As this will be facing your internet connection (smaller than your LAN), you 
should still see a benefit even though TOS is not yet copied. The longer the 
pipe / greater the BDP, the more noticeable it will be.

Hope this helps, Andy.

Re: Force Probing Intel GPU

[Jonathan Gray]

On Thu, Sep 28, 2023 at 11:23:03AM +, Gökhan Özdemir wrote:
> Hello,
> 
> I have an Intel Arc A770 which requires force probe kernel parameter 
> (i915.force_probe=56a0) on linux 6.1. Since current drm stack on OpenBSD is 
> 6.1, I am looking for a way to find OpenBSD equivalent of force probe.
> 
> I am running -current and manually installed inteldrm firmware via fw_update

Matching isn't the whole problem.

The dg2 cards take paths that are not fully implemented:
https://marc.info/?l=openbsd-tech=2=1=dg2=b

Re: sftp activity logging?

[Daniele B.]

Copy.. ;)


Stuart Longland VK4MSL  wrote:

> On 28/9/23 18:29, Daniele B. wrote:  
> > Any more update?
> > 
> > Beside FTPD having instead vsftpd like the ftp man one
> 
> sftp ≠ ftp/ftps
> 
> FTP is the original File Transfer Protocol, introduced in 1971 and 
> described in RFC-959.
> 
> FTPS is FTP run over TLS.
> 
> SFTP is a file transfer subsystem run over SSH. 

Re: sftp activity logging?

[Stuart Longland VK4MSL]

On 28/9/23 18:29, Daniele B. wrote:

Any more update?

Beside FTPD having instead vsftpd like the ftp man one


sftp ≠ ftp/ftps

FTP is the original File Transfer Protocol, introduced in 1971 and 
described in RFC-959.


FTPS is FTP run over TLS.

SFTP is a file transfer subsystem run over SSH.
--
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.

mount invalid argument

[Daniele B.]

Hello,

wiz$ mount -t ffs /dev/sd1i /mnt/stick

mount_ffs: /dev/sd1i on /mnt/stick: Invalid argument

Maybe "Invalid argument" here could be expanded to "wrong -t
argument", "wrong file system type argument"? 

We are continuing to guess in this way..

Hope it is helpful ;)


-- Daniele Bonini

Re: OpenBSD 7.2 fw stack trace on Dell R740

[Hrvoje Popovski]

On 26.9.2023. 9:24, Joerg Streckfuss wrote:
> 
> Hi Stuart,
> 
> Am 25.09.23 um 19:08 schrieb Stuart Henderson:
>> That might possibly be the one fixed by 7.2 errata 008, so if you don't
>> already have that you at least want to syspatch.
> 
> That was my guess as well. However, the systems were patched up to 7.2
> errata-016. I applied the remaining patches. So far the systems are
> running stable. Are there any changes between the 7.2 and 7.3 releases
> that could indicate a bug?
> 
> Many regards,
> 
> Joerg

Hi,

If you can go to snapshot or wait for 7.4. Thanks to dlg@ my pfsync
firewalls are rock stable after this commit

https://marc.info/?l=openbsd-cvs=168861927203498=2

Force Probing Intel GPU

[Gökhan Özdemir]

Hello,

I have an Intel Arc A770 which requires force probe kernel parameter 
(i915.force_probe=56a0) on linux 6.1. Since current drm stack on OpenBSD is 
6.1, I am looking for a way to find OpenBSD equivalent of force probe.

I am running -current and manually installed inteldrm firmware via fw_update

Methods i have tried so far:

Index: autoconf.h
===
RCS file: /cvs/src/sys/dev/pci/drm/include/generated/autoconf.h,v
retrieving revision 1.10
diff -u -p -r1.10 autoconf.h
--- autoconf.h 3 Oct 2022 10:07:01 - 1.10
+++ autoconf.h 28 Sep 2023 12:14:45 -
@@ -27,7 +27,7 @@
 #define CONFIG_DRM_I915_STOP_TIMEOUT 100 /* ms */
 #define CONFIG_DRM_I915_FENCE_TIMEOUT 1 /* ms */
 #define CONFIG_DRM_I915_USERFAULT_AUTOSUSPEND 250 /* ms */
-#define CONFIG_DRM_I915_FORCE_PROBE ""
+#define CONFIG_DRM_I915_FORCE_PROBE "*,56a0"
 #ifdef __HAVE_ACPI
 #include "acpi.h"

also tried different combinations like "*" , "56a0", "56a0,56a1,56a5,56a6" and 
built kernel but no luck.

modified functions where it checks if device is forced or blocked.

Index: i915_pci.c
===
RCS file: /cvs/src/sys/dev/pci/drm/i915/i915_pci.c,v
retrieving revision 1.19
diff -u -p -r1.19 i915_pci.c
--- i915_pci.c 15 Jun 2023 02:46:22 - 1.19
+++ i915_pci.c 28 Sep 2023 12:13:37 -
@@ -1293,12 +1293,12 @@ static bool device_id_in_list(u16 device
 static bool id_forced(u16 device_id)
 {
- return device_id_in_list(device_id, i915_modparams.force_probe, false);
+ return true;
 }
 static bool id_blocked(u16 device_id)
 {
- return device_id_in_list(device_id, i915_modparams.force_probe, true);
+ return false;
 }
 bool i915_pci_resource_valid(struct pci_dev *pdev, int bar)
still, no luck.

As last resort, removed require_force_probe definition on dg2_info

Index: i915_pci.c
===
RCS file: /cvs/src/sys/dev/pci/drm/i915/i915_pci.c,v
retrieving revision 1.19
diff -u -p -r1.19 i915_pci.c
--- i915_pci.c 15 Jun 2023 02:46:22 - 1.19
+++ i915_pci.c 28 Sep 2023 12:22:00 -
@@ -1078,7 +1078,6 @@ static const struct intel_device_info dg
 XE_LPD_FEATURES,
 .__runtime.cpu_transcoder_mask = BIT(TRANSCODER_A) | BIT(TRANSCODER_B) |
 BIT(TRANSCODER_C) | BIT(TRANSCODER_D),
- .require_force_probe = 1,
 };
 static const struct intel_device_info ats_m_info = {

with this change, gpu gets registered as inteldrm but falls back to efifb with 
error

pci3 at ppb2 bus 3
inteldrm0 at pci3 dev 0 function 0 "Intel Arc A770" rev 0x08
drm0 at inteldrm0
inteldrm0: msi, DG2, gen 12
xehp_load_dss_mask: stub
xehp_load_dss_mask: stub
intel_slicemask_from_xehp_dssmask: stub
intel_slicemask_from_xehp_dssmask: stub
init_stolen_lmem: stub
drm:pid0:intel_memory_regions_hw_probe *ERROR* [drm] *ERROR* Failed to setup 
region(-78) type=3
Device initialization failed (-78)
efifb0 at mainbus0: 1920x1080, 32bpp

dmesgs for both unmodified kernel and modified kernel are in attachment

Thanks for any help!

- Gökhan
real mem = 34122215424 (32541MB)
avail mem = 33068335104 (31536MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.4 @ 0x79d2a000 (118 entries)
bios0: vendor American Megatrends Inc. version "2611" date 08/11/2023
bios0: ASUS PRIME Z690-P D4
efi0 at bios0: UEFI 2.8
efi0: American Megatrends rev 0x5001b
acpi0 at bios0: ACPI 6.4
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP MCFG FIDT SSDT SSDT SSDT SSDT HPET APIC MCFG SSDT NHLT 
LPIT SSDT SSDT DBGP DBG2 SSDT DMAR FPDT SSDT SSDT SSDT BGRT WPBT TPM2 PHAT WSMT
acpi0: wakeup devices PEG1(S4) PEGP(S4) PEGP(S4) PEG0(S4) PEGP(S4) RP09(S4) 
PXSX(S4) RP10(S4) PXSX(S4) RP11(S4) PXSX(S4) RP12(S4) PXSX(S4) RP13(S4) 
PXSX(S4) RP14(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0
acpimcfg0: addr 0xc000, bus 0-255
acpihpet0 at acpi0: 1920 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: 12th Gen Intel(R) Core(TM) i5-12600KF, 5002.58 MHz, 06-97-02, patch 
002e
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,PKU,WAITPKG,PKS,MD_CLEAR,IBT,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,TAA_NO,MISC_PKG_CT,ENERGY_FILT,DOITM,SBDR_SSDP_N,FBSDP_NO,PSDP_NO,RRSBA,OVERCLOCK,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu0: 48KB 64b/line 12-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 
10-way L2 cache, 20MB 64b/line 10-way L3 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var 

Re: OpenBSD Wireguard implementation not copying ToS from inner to outer WG header

[Sonic]

Hopefully not as dumb of a question as I suspect it might be.
Does the generic...
=
match out on $ext_if inet proto tcp from ($ext_if) set prio (3, 7)
match in  on $ext_if inet proto tcp to ($ext_if) set prio (3, 7)
=
...take advantage of this patch when using wireguard or does the match need
to be applied to the wgx interface?

Re: I nuked my filesystem

[Isaac Meerleo]

Just want to close the loop.
I ended up finding a backup of my mbox on a different machine with
the disklabel in the insecurity update (thanks for the tip, Nick).
I installed it on the disk and had access to everything except root!

Out of curiosity, I generated a new disklabel for that same disk with
disklabel -A and predictably, the offsets and sizes were all correct in
that one too.

Thank you all for your wisdom and reorienting my week around
proper backups.

Isaac

> To be clear: having overwritten the starting 5GB of sd1c,
> but not of the underlying sd0c, you still have the CRYPTO volume on
> sd0c which you can attach with bioctl, right?

If my ssd is sd0 and my bio(4) managed volume is sd1, then I dd'd over
sd1 (all of sd1a, some of swap).

On Wed, Sep 27, 2023 at 6:16 PM Stuart Henderson
 wrote:
>
> On 2023-09-27, Isaac Meerleo  wrote:
> > Thank you all for your replies.  I needed to step away from my
> > computer last night so I apologize for the terse email.
> > sd0 is my physical hard disk with full disk encryption.  I wrote a 5gb
> > iso over the beginning of sd1c (my softraid volume).  I rebooted. I
> > installed openbsd on a separate drive, booted it, mounted the
> > encrypted volume, and hopelessly ran scan_ffs.
> >
> > After reading Stuart's advice, I will attempt to reinstall the
> > disklabel from scratch. I installed 7.2 on my second disk; the version
> > I used to do the initial install.
> > When I initially set up my disk, I used the auto partition defaults
> > which left me with a 300gb /home directory. Later, I expanded the
> > /home partition across the rest of the disk. When I recreate the
> > disklabel, should I let it auto partition and then grow the file
> > system like before? Or should I just set home to fill the rest of the
> > disk?
>
> Set it to fill the rest of the disk - don't run growfs on it again.
>
> I would be wanting to mount filesystems read-only and try to copy data
> off to another disk, then reinstall on the disk with damaged disklabel
> and copy back, rather than relying on the existing filesystems long-term.
>
>

Re: sftp activity logging?

[Stuart Henderson]

On 2023-09-28, Nick Holland  wrote:
> On 8/31/23 17:29, myml...@gmx.com wrote:
>> Hi All,
>> 
>> I am setting an openbsd 7.3 stable system to serve files via ssh's sftp
>> subsystem.
>> 
>> Does openssh have a native way to audit what files were
>> downloaded/uploaded with user/timestamp information?
>> 
>> If not, are there any recommendations?
>> 
>> Thanks in advance.
>> 
>
> Try this, perhaps?
>
> man sftp-server,
>   options of interest may include -f, -l.
>
> You will probably have to have a /dev/log inside the chroot, which
> also means the "nodev" option is not your friend.

Files accessed: yes. Files opened are logged with flags, so you can
distinguish between read/write. Files closed, renamed, removed are logged.

User: yes, but you'll need to match lines together based on PID,
look for the 'session opened/closed' lines which have username/IP.
In a long running connection authlog may have rotated between the
connection and transfer.

You don't need a /dev/log socket to do this on OpenBSD, we have the
mechanism described in sendsyslog(2). For sftp chroot with the internal-sftp
implementation you can do "ForceCommand internal-sftp -l INFO".

Re: sftp activity logging?

[Nick Holland]

On 8/31/23 17:29, myml...@gmx.com wrote:

Hi All,

I am setting an openbsd 7.3 stable system to serve files via ssh's sftp
subsystem.

Does openssh have a native way to audit what files were
downloaded/uploaded with user/timestamp information?

If not, are there any recommendations?

Thanks in advance.



Try this, perhaps?

man sftp-server,
 options of interest may include -f, -l.

You will probably have to have a /dev/log inside the chroot, which
also means the "nodev" option is not your friend.

Nick.

Re: sftp activity logging?

[Daniele B.]

Any more update?


Beside FTPD having instead vsftpd like the ftp man one:

dual_log_enable
If enabled, two log files are generated in parallel, going by default
to /var/log/xferlog and /var/log/vsftpd.log. The former is a wu-ftpd
style transfer log, parseable by standard tools. The latter is vsftpd's
own style log. Default: NO

log_ftp_protocol
When enabled, all FTP requests and responses are logged, providing the
option xferlog_std_format is not enabled. Useful for debugging.
Default: NO

syslog_enable
If enabled, then any log output which would have gone to
/var/log/vsftpd.log goes to the system log instead. Logging is done
under the FTPD facility. Default: NO

xferlog_enable
If enabled, a log file will be maintained detailling uploads and
downloads. By default, this file will be placed at /var/log/vsftpd.log,
but this location may be overridden using the configuration setting
vsftpd_log_file. Default: NO (but the sample config file enables it)

xferlog_std_format
If enabled, the transfer log file will be written in standard xferlog
format, as used by wu-ftpd. This is useful because you can reuse
existing transfer statistics generators. The default format is more
readable, however. The default location for this style of log file is
/var/log/xferlog, but you may change it with the setting xferlog_file.
Default: NO


-- Daniele Bonini


"myml...@gmx.com"  wrote:

> Hi All,
> 
> I am setting an openbsd 7.3 stable system to serve files via ssh's
> sftp subsystem.
> 
> Does openssh have a native way to audit what files were
> downloaded/uploaded with user/timestamp information?
> 
> If not, are there any recommendations?
> 
> Thanks in advance.
>