Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-41516

Groovy script console actions should be logged

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      The Groovy script console (/script) does not log actions to the Jenkins log. The actions do not appear to be logged to the system anywhere. This allows an attacker or inside actor to perform actions against a Jenkins server via Groovy script console with no trail of what was done. In our case we had a misconfigured test Jenkins server which allowed open access to /script. Someone injected a bitcoin mining script via the Groovy script console which we found as a running process on the system. There was no log of this event in Jenkins. Now the misconfiguration of our test server was a big mistake but not having logs as a way to audit the specific actions that were performed is a big mistake on the part of Jenkins core which can amplify a user's mistake.

        Attachments

          Issue Links

            Activity

            fromonesrc Adam Ochonicki created issue -
            fromonesrc Adam Ochonicki made changes -
            Field Original Value New Value
            Labels groovy logging script security
            rtyler R. Tyler Croy made changes -
            Component/s core [ 15593 ]
            Component/s core [ 21434 ]
            Key WEBSITE-294 JENKINS-41516
            Workflow WEBSITE: Software Development Workflow [ 215535 ] JNJira + In-Review [ 215536 ]
            Project Jenkins Website [ 10401 ] Jenkins [ 10172 ]
            Status To Do [ 10003 ] Open [ 1 ]
            Hide
            rtyler R. Tyler Croy added a comment -

            the WEBSITE project pertains to documentation and jenkins.io, please use the JENKINS project in JIRA for tickets such as this.

            Show
            rtyler R. Tyler Croy added a comment - the WEBSITE project pertains to documentation and jenkins.io, please use the JENKINS project in JIRA for tickets such as this.
            rtyler R. Tyler Croy made changes -
            Labels groovy logging script security
            Hide
            fromonesrc Adam Ochonicki added a comment -

            Sorry, I don't know how that was set. When I tried to change it after the fact I didn't see a way to edit. Thanks for fixing.

            Show
            fromonesrc Adam Ochonicki added a comment - Sorry, I don't know how that was set. When I tried to change it after the fact I didn't see a way to edit. Thanks for fixing.
            Hide
            danielbeck Daniel Beck added a comment -

            Now the misconfiguration of our test server was a big mistake but not having logs as a way to audit the specific actions that were performed is a big mistake on the part of Jenkins core which can amplify a user's mistake.

            While it would be a useful improvement to log script console messages, this would not fix a lot in your situation: Script console access allows an attacker to (mostly) trivially wipe all traces of their attack: It's not just "run any program", but, as it runs inside the Jenkins process, can just wipe all logging related to these actions (including making private fields accessible etc. to achieve this).

            Unless there's an external append-only log of sorts configured, no improvements here are likely to substantially improve the situation. And once you need an admin to take action to protect themselves, it's easier to secure Jenkins properly.

            Show
            danielbeck Daniel Beck added a comment - Now the misconfiguration of our test server was a big mistake but not having logs as a way to audit the specific actions that were performed is a big mistake on the part of Jenkins core which can amplify a user's mistake. While it would be a useful improvement to log script console messages, this would not fix a lot in your situation: Script console access allows an attacker to (mostly) trivially wipe all traces of their attack: It's not just "run any program", but, as it runs inside the Jenkins process, can just wipe all logging related to these actions (including making private fields accessible etc. to achieve this). Unless there's an external append-only log of sorts configured, no improvements here are likely to substantially improve the situation. And once you need an admin to take action to protect themselves, it's easier to secure Jenkins properly.
            danielbeck Daniel Beck made changes -
            Issue Type Bug [ 1 ] Improvement [ 4 ]
            Labels logging security
            Summary Groovy script console actions not logged Groovy script console actions should be logged
            danielbeck Daniel Beck made changes -
            Assignee Daniel Beck [ danielbeck ]
            Hide
            fromonesrc Adam Ochonicki added a comment -

            With a proper external log shipping setup, log wiping becomes less of a concern. Yes, securing Jenkins is very important but that is not the only reason to implement logging on script console. My particular case of our unsecured test Jenkins instance was simply to illustrate one of many legitimate cases where logging the console script actions is important. Not just to investigate malicious activity but troubleshooting Jenkins problems or auditing for internal control purposes.

            Show
            fromonesrc Adam Ochonicki added a comment - With a proper external log shipping setup, log wiping becomes less of a concern. Yes, securing Jenkins is very important but that is not the only reason to implement logging on script console. My particular case of our unsecured test Jenkins instance was simply to illustrate one of many legitimate cases where logging the console script actions is important. Not just to investigate malicious activity but troubleshooting Jenkins problems or auditing for internal control purposes.
            recover Paul Deauna made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            recover Paul Deauna made changes -
            Status In Progress [ 3 ] In Review [ 10005 ]
            danielbeck Daniel Beck made changes -
            Status In Review [ 10005 ] In Progress [ 3 ]
            danielbeck Daniel Beck made changes -
            Status In Progress [ 3 ] Open [ 1 ]
            danielbeck Daniel Beck made changes -
            Link This issue is duplicated by JENKINS-62397 [ JENKINS-62397 ]
            danielbeck Daniel Beck made changes -
            Labels logging security logging lts-candidate security
            timja Tim Jacomb made changes -
            Labels logging lts-candidate security logging security
            danielbeck Daniel Beck made changes -
            Labels logging security logging lts-candidate security

              People

              Assignee:
              danielbeck Daniel Beck
              Reporter:
              fromonesrc Adam Ochonicki
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated: