[jira] [Commented] (GUACAMOLE-2047) Enhance logging for security monitoring

Wed, 16 Apr 2025 21:52:19 -0700 


    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-2047?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17945189#comment-17945189
 ] 

Mike Jumper commented on GUACAMOLE-2047:
----------------------------------------

Looking at the provided {{ConnectionLogger.java}}, I see some issues that would 
need to be addressed:

* There is no guarantee that an underlying protocol provides {{username}} and 
{{hostname}} parameters, nor that those parameters are the most relevant.
* It's probably not great to throw an exception if the socket is not an 
instance of {{ConfiguredGuacamoleSocket}}. It would be better to pull the 
information if available, and log the absence of that information otherwise. It 
might also be necessary to build in additional plumbing for this (or an 
underlying interface) rather than relying on a specific concrete implementation 
like {{ConfiguredGuacamoleSocket}}.

If the main concern here is that you want connection parameters like "hostname" 
and "username" to be included in the webapp logs?

> Enhance logging for security monitoring
> ---------------------------------------
>
>                 Key: GUACAMOLE-2047
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-2047
>             Project: Guacamole
>          Issue Type: New Feature
>          Components: guacamole-client
>            Reporter: Rik Giles
>            Priority: Trivial
>         Attachments: ConnectionLogger.java
>
>
> The default logging implementation of Guacamole client does not record 
> sufficient information for security monitoring.
> Adding the following telemetry would enable security engineers to create 
> detection rules in SIEMs to generate alerts for suspicious behavior:
>  * Event (open/close connection)
>  * Source IP address (X-FORWARDED-FOR)
>  * Source Username (from Guacamole session)
>  * Destination IP address (of connection object)
>  * Destination Username (used to authenticate with connection object)
>  * Protocol (SSH/VNC/RDP)
>  
> This proposed feature can be achieved through the use of 
> `org.apache.guacamole.net.event.TunnelConnectEvent` and can be implemented as 
> an optional extension (as per guacamole-auth-ldap, guacamole-vault etc.)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to