feat: add ttyrecStealthStdoutPattern config

Commands that generate a lot of stdout output and are M2M workflows, such as rsync, can now be excluded from ttyrec to avoid filling up drives
ovh · Feb 20, 2024 · f022bd9 · f022bd9
1 parent fd6850c
commit f022bd9
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 3 deletions.
diff --git a/bin/shell/osh.pl b/bin/shell/osh.pl
@@ -470,6 +470,10 @@ sub main_exit {
       "Can't specify both --generate-mfa-token and --mfa-token";
 }
 
+if ($tty && $notty) {
+    main_exit OVH::Bastion::EXIT_CONFLICTING_OPTIONS, "tty_notty", "Options -t and -T are mutually exclusive";
+}
+
 # if proactive MFA has been requested, do it here, before the code diverts to either
 # handling interactive session, plugins/osh commands, or a connection request
 if ($proactiveMfa) {
@@ -1338,11 +1342,18 @@ sub main_exit {
         osh_debug("idle_timeout: finally using " . $idleTimeout{$timeout} . " for $timeout");
     }
 
+    # if $command matches this option, set stealth_stdout for ttyrec
+    my $stealth_stdout = 0;
+    if (my $ttyrecStealthStdoutPattern = OVH::Bastion::config("ttyrecStealthStdoutPattern")->value) {
+        $stealth_stdout = $command =~ $ttyrecStealthStdoutPattern;
+    }
+
     # adjust the ttyrec cmdline with these parameters
     $ttyrec_fnret = OVH::Bastion::build_ttyrec_cmdline_part2of2(
         input           => $ttyrec_fnret->value,
         idleLockTimeout => $idleTimeout{'lock'},
-        idleKillTimeout => $idleTimeout{'kill'}
+        idleKillTimeout => $idleTimeout{'kill'},
+        stealth_stdout  => $stealth_stdout,
     );
     main_exit(OVH::Bastion::EXIT_TTYREC_CMDLINE_FAILED, "ttyrec_failed", $ttyrec_fnret->msg) if !$ttyrec_fnret;
     @ttyrec = @{$ttyrec_fnret->value->{'cmd'}};

diff --git a/doc/sphinx/administration/configuration/bastion_conf.rst b/doc/sphinx/administration/configuration/bastion_conf.rst
@@ -65,6 +65,7 @@ Options to customize how logs should be produced.
 - `enableAccountSqlLog`_
 - `ttyrecFilenameFormat`_
 - `ttyrecAdditionalParameters`_
+- `ttyrecStealthStdoutPattern`_
 
 Other ingress policies options
 ------------------------------
@@ -515,6 +516,19 @@ ttyrecAdditionalParameters
 
 Additional parameters you want to pass to ``ttyrec`` invocation. Useful, for example, to enable on-the-fly compression, disable cheatcodes, or set/unset any other ``ttyrec`` option. This is an ARRAY, not a string.
 
+.. _ttyrecStealthStdoutPattern:
+
+ttyrecStealthStdoutPattern
+**************************
+
+:Type: ``regex``
+
+:Default: ``""``
+
+:Example: ``"^rsync --server .+"``
+
+When this is set to a non-falsy value, this is expected to be a string that will be converted to a regex which will be matched against a potential remote command specified when connecting through SSH to a remote server. If the regex matches, then we'll instruct ttyrec to NOT record stdout for this session.
+
 Other ingress policies
 ----------------------
 

diff --git a/etc/bastion/bastion.conf.dist b/etc/bastion/bastion.conf.dist
@@ -216,6 +216,13 @@
 # DEFAULT: []
 "ttyrecAdditionalParameters": [],
 #
+# ttyrecStealthStdoutPattern (regex)
+#
+#  DESC: When this is set to a non-falsy value, this is expected to be a string that will be converted to a regex which will be matched against a potential remote command specified when connecting through SSH to a remote server. If the regex matches, then we'll instruct ttyrec to NOT record stdout for this session.
+# EXAMPLE: "^rsync --server .+"
+# DEFAULT: ""
+"ttyrecStealthStdoutPattern": "",
+#
 ##########################
 # > Other ingress policies
 # >> Policies applying to the ingress connections

diff --git a/lib/perl/OVH/Bastion.pm b/lib/perl/OVH/Bastion.pm
@@ -1141,8 +1141,6 @@ sub build_ttyrec_cmdline_part1of2 {
     push @ttyrec, '-v' if $params{'debug'};
     push @ttyrec, '-T', 'always' if $params{'tty'};
     push @ttyrec, '-T', 'never'  if $params{'notty'};
-    push @ttyrec, '--stealth-stdout' if $params{'stealth_stdout'};
-    push @ttyrec, '--stealth-stderr' if $params{'stealth_stderr'};
 
     my $fnret = OVH::Bastion::account_config(
         account => $params{'account'},
@@ -1194,6 +1192,9 @@ sub build_ttyrec_cmdline_part2of2 {
         }
     }
 
+    push @cmd, '--stealth-stdout' if $params{'stealth_stdout'};
+    push @cmd, '--stealth-stderr' if $params{'stealth_stderr'};
+
     my $ttyrecAdditionalParameters = OVH::Bastion::config('ttyrecAdditionalParameters')->value;
     push @cmd, @$ttyrecAdditionalParameters if @$ttyrecAdditionalParameters;
 

diff --git a/lib/perl/OVH/Bastion/configuration.inc b/lib/perl/OVH/Bastion/configuration.inc
@@ -162,6 +162,7 @@ sub load_configuration {
         {name => 'accountExpiredMessage', default => '', validre => qr/^(.*)$/, emptyok => 1},
         {name => 'fanciness', default => 'full', validre => qr/^((none|boomer)|(basic|millenial)|(full|genz))$/},
         {name => 'accountExternalValidationProgram', default => '', validre => qr'^([a-zA-Z0-9/$_.-]*)$', emptyok => 1},
+        {name => 'ttyrecStealthStdoutPattern', default => '', validre => qr'^(.{0,4096})$', emptyok => 1},
       )
     {
         if (!$C->{$o->{'name'}} && !$o->{'emptyok'}) {