Command logs

Question

Command logs

alienxp03 opened this issue 6 years ago · 7 comments

Is there a way to know which command is being executed? This will be extremely helpful for logging purposes.

Answer 1 · 2018-11-23T09:34:38.000Z

This is a good idea! Where would you want to see those entries? The rails log itself?

Answer 2 · 2018-11-23T09:45:00.000Z

I'm not sure what would be the good practice here. My ideal usage would be to know which command was ran, and who ran the command. That way I can audit the logs later on in case there's any security concern. Most probably logs the output to log/web_console.log?

Answer 3 · 2018-11-23T09:54:43.000Z

The console, at least in this shape and form, is not intended to be run outside of development. The IP based authorization is not strong enough for the RCE that the console opens up. Are you on a remote page for live-debug setup in a way?

Answer 4 · 2018-11-23T09:59:28.000Z

I see. It's more like I want to use this gem outside of development environment actually. Internal usage only, very restricted usage. I know how dangerous is sounds, so I'm just looking around at the moment. Whether it's worth it to allow such action to the developers. One of the benefit of doing it this way is that they can still run Rails command on each environment, without giving them ssh access to the real server.

Answer 5 · 2018-11-23T10:21:54.000Z

Effectively, you are giving them access with the same permissions as the OS user that runs the server. You can always shell-out in Ruby with system and the likes and run anything you want on the development server. This time, even skipping the authentication that SSH does securely.

Answer 6 · 2018-11-25T17:57:56.000Z

Points taken. Not to dismiss anything, but that's the reason why I was looking for a way to capture the logs.

My original question was to see whether capturing logs is possible assuming I'm running this outside of development. Since this gem is only intended for development purpose, I don't see any reason why would I want to capture the logs.

Thanks a lot for the clarification @gsamokovarov. Feel free to close the issue :)

Answer 7 · 2019-01-07T21:17:45.000Z

@gsamokovarov Thanks a lot for the clarification and for this excellent project!
I would like to have a follow up on this topic too since we are planning to use web-console in production (per security aspect, we only allow IP from private subnet and launch one-time task that open web-console in a unique endpoint when we want to run some tasks)
It is extremely useful if we can do the audit with the log as @alienxp03 brought up here. Is there any potential chance for that feature coming out in the future? Or if possible, could you suggest any path that we can go with the auditing purpose?
Best regards,