[
https://issues.apache.org/jira/browse/GUACAMOLE-2047?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rik Giles updated GUACAMOLE-2047:
---------------------------------
Description:
The default logging implementation of Guacamole client does not record
sufficient information for security monitoring.
Adding the following telemetry would enable security engineers to create
detection rules in SIEMs to generate alerts for suspicious behavior:
* Event (open/close connection)
* Source IP address (X-FORWARDED-FOR)
* Source Username (from Guacamole session)
* Destination IP address (of connection object)
* Destination Username (used to authenticate with connection object)
* Protocol (SSH/VNC/RDP)
This proposed feature can be achieved through the use of
`org.apache.guacamole.net.event.TunnelConnectEvent` and can be implemented as
an optional extension (as per guacamole-auth-ldap, guacamole-vault etc.)
was:
The default logging implementation of Guacamole client does not record
sufficient information for security monitoring.
Adding the following telemetry would enable security engineers to create
detection rules in SIEMs to generate alerts for suspicious behavior:
* Event (open/close connection)
* Source IP address (X-FORWARDED-FOR)
* Source Username (from Guacamole session)
* Destination IP address (of connection object)
* Destination Username (used to authenticate with connection object)
* Protocol (SSH/VNC/RDP)
This proposed feature can be achieved through the use of `TunnelConnectEvent`
in `org.apache.guacamole.net.event` and can be implemented as an optional
extension (as per guacamole-auth-ldap, guacamole-vault etc.)
> Enhance logging for security monitoring
> ---------------------------------------
>
> Key: GUACAMOLE-2047
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-2047
> Project: Guacamole
> Issue Type: New Feature
> Components: guacamole-client
> Reporter: Rik Giles
> Priority: Trivial
>
> The default logging implementation of Guacamole client does not record
> sufficient information for security monitoring.
> Adding the following telemetry would enable security engineers to create
> detection rules in SIEMs to generate alerts for suspicious behavior:
> * Event (open/close connection)
> * Source IP address (X-FORWARDED-FOR)
> * Source Username (from Guacamole session)
> * Destination IP address (of connection object)
> * Destination Username (used to authenticate with connection object)
> * Protocol (SSH/VNC/RDP)
>
> This proposed feature can be achieved through the use of
> `org.apache.guacamole.net.event.TunnelConnectEvent` and can be implemented as
> an optional extension (as per guacamole-auth-ldap, guacamole-vault etc.)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
