Hello, I have checked source code, and found the user id is generated randomly using some prefix.
This is not so good for audit logs. Maybe someone from guacamole maintainers could look into it? вт, 10 дек. 2024 г. в 23:43, Anakien Skywalker <[email protected]>: > Hello, > > Thank you Peter for such detailed analysis. > > I would like to add a few comments: > > Any logging application (promtail, fluentd etc) attaches timestamp without > any problem. > > Timestamp itself can't be the source of truth since when guacamole is used > by multiple users at the same time it is impossible to match the events. > > Internal connections history is nice. But from a security perspective the > last source of truth usually is logging. > > вт, 10 дек. 2024 г., 23:17 mailinglists <[email protected]>: > >> Hi, >> >> I tried on my instance (containers using podman) with an SSH connection. >> >> I could not find any evidence of a mapping between the users the >> PostgreSQL Database >> provided by my "guacamole-pgsql" container and the "strange" connection >> guids (@xxxx) >> from the guacd logs even when the LOG_LEVEL was set to "trace" for guacd. >> >> The "guacamole-guacamole" containers logs showed the username of the >> connecting user! >> >> I would not rely on the logs since they are maybe only available during >> runtime (when using containers) but >> one could setup the containers to store their log persistent (in podman >> with the --log* parameters), >> then you can trace what happened in a detailed way. >> But - still you would not have any date/time information in guacd logs >> until you modify the logging format >> through some configuration change. >> >> What I found out if you enable recording for the sessions and the >> recording files names contains the "${GUAC_USERNAME}" >> parameter token, then you see the username in GUACDs logs as part of the >> recording files. >> Since there are also parameter tokens for the current date and time you >> would for example see something like this >> in GUACDs logs: >> >> guacd[17921]: INFO: Recording of session will be saved to >> "/drives_rec/822ec874-03e2-34de-93d3-7058a417529d/20241210_193745_skywalker.rec" >> >> where in this case "skywalker" was the username and "20241210_193745" was >> the date and time (${GUAC_DATE}_${GUAC_TIME}__${GUAC_USERNAME}.rec) >> so in this case "10th of December 2024 at 19:37:45" >> >> I am not an expert but I hope I gave some insights. I am also very >> interested if there is any other solution to this to be able to track down >> who connected when via these logged guids but anyways, the database has >> the information and there is no need to look at guacs logs >> for connections that happened, that might be the case while the developer >> chose not to log the date/time beforehand. >> You can even see every connection details in the webui at the connections >> settings page or in the global history. >> You could also grab it from the database using "select * from >> guacamole_connection_history;" >> >> Trying answer your question, I think you can not track down who that user >> was since you have absolutely no date/time information >> just by looking at the guacd logs! If you somehow (like me) have evidence >> of a date/time through other log entries you might be able >> to track it down to a time frame by using the logs but this makes no >> sense. >> >> I am very interested in other opinions here since I just analyzed what I >> could see from my setup. >> >> Regards >> >> Peter >> Am 09.12.24 um 11:04 schrieb Anakien Skywalker: >> >> Hello, >> >> >> My apologies if this was raised already. I checked docs and google, but >> did not find anything. >> >> >> I want to know who was the user connected to the VNC on guacd side. The >> following logs are present: >> >> >> guacd[429082]: INFO: User "@3f4a2401-aef9-414a-bcd6-f229f573f494" joined >> connection "$8e8c828f-d1d3-47b3-9943-bae1ed9801ab" (1 users now present) >> >> guacd[429082]: INFO: User "@3f4a2401-aef9-414a-bcd6-f229f573f494" >> disconnected (0 users remain) >> >> guacd[429082]: INFO: Last user of connection >> "$8e8c828f-d1d3-47b3-9943-bae1ed9801ab" disconnected >> >> guacd[429082]: INFO: Internal VNC client disconnected >> guacd[1]: INFO: Connection "$8e8c828f-d1d3-47b3-9943-bae1ed9801ab" >> removed. >> >> But I can't find such user IDs anywhere in guacamole users. Is there any >> way to resolve/map this? >> >>
