Logging a PSSession

This topic contains 5 replies, has 3 voices, and was last updated by Profile photo of Warren Frame Warren Frame 3 years, 9 months ago.

  • Author
    Posts
  • #8559
    Profile photo of Warren Frame
    Warren Frame
    Participant

    Hi all,

    TL;DR – is there a way to pull the definition for the script or script block that Invoke-Command runs, in the context of the remote session?

    I'm working on building a framework for delegated, constrained endpoints in our organization.  The basic idea would be to provide granular access to end users who cannot be provided this access through the system itself.

    I would like to head off any requests to log this activity.  Presumably management will want to know who initiates commands if the commands run with a service account.

    It seems like interactive sessions are easy enough to handle by adding logging functions to the end block of out-default (or all the commands necessary for interactive sessions), assuming I don't whitelist anything that precludes the use of this.

    I'm having trouble logging everything that takes place from Invoke-Command.  Ideally, I could call some variable that stores the definition of the scriptblock or script being run in the session.  Another option would be to add a logging function to the functions I define.  This is a bit of a pain as $myinvocation.line does not appear to be populated in remote sessions.

    Any suggestions?  Has anyone else set up a logging system for delegated sessions?  Your insight would be greatly appreciated!

  • #8563
    Profile photo of Art Beane
    Art Beane
    Member

    I mostly use it with scheduled tasks and not invoked script blocks, but see if Start-Transcript might solve this for you. http://technet.microsoft.com/en-us/library/hh849687.aspx

  • #8565
    Profile photo of Warren Frame
    Warren Frame
    Participant

    I don't believe this will work with Start-Transcript.

    To clarify, the logging needs to take place within the remote session.  My issue is that within the remote session, I'm having trouble identifying what code was called from the invoke-command that spawned the session.

  • #8580
    Profile photo of Don Jones
    Don Jones
    Keymaster

    You can't easily access that from the remote session. Keep in mind that the remote computer isn't running familiar old PowerShell.exe; it's running wsmprovhost.exe, which doesn't offer all the same features as the full console. So it's not like you've done a Telnet into a remote copy of PowerShell. The product isn't currently geared to provide logging like you're looking for, although there are third-party proxy solutions (BeyondTrust makes one) that basically act as a middleman, and capture/log/authorize commands as you send them.

    Now what oyu might be able to try (just thinking aloud, I've not tried this yet) is create a CUSTOM remoting endpoint that runs some kind of script or something on startup, BEFORE any incoming commands are run. That might be a key to getting hold of those commands, although I'm not quite sure how you'd do so. A DEFINITE option would be to program you own host, and register IT as an endpoint instead of wsmprovhost.exe. That'd take C# programming, but it would let you do whatever you wanted.

  • #8581
    Profile photo of Warren Frame
    Warren Frame
    Participant

    Hi Don,

    Thanks for the confirmation!  Haven't had any luck setting this up in the startup script, will keep digging.

     

    Note to Microsoft:

    Providing the ability to run everything with delegated credentials is handy.  Adding some sort of simple to use logging / auditing to this would make it valuable.  As it is, I can tell you many management folk will be hesitant to open up this sort of functionality if we can't see who did what, regardless of how locked down the endpoint is.

    Cheers!

  • #8606
    Profile photo of Warren Frame
    Warren Frame
    Participant

    For those of you who stumble on this, assuming Microsoft does not address the situation, I have rudimentary logging up and running in an example startup script here.

    It uses a few basic functions and messy logic.  Basically:

    • Start-Log creates or appends to a log indicating a connection has been established.
    • Check-InvokeCommand checks if a a session is using invoke command (i.e. whether we can rely on history)
    • If using interactive remoting, create public proxies that call 'Write-Log' in the end block
    • Write-Log writes to a log file with the command run (based on history or a string), runas account for the session, who is connected to the session, date
    • Logic is included in functions we define that gets the command, parameters, and their values programatically, or using the history depending on whether running in interactive session.  Could probably make a function out of this, got lazy : )

    The end result is that I get logging from enter-pssession and invoke-command.  My apologies for the messiness, just getting the ball rolling, will refine from here or hope for a solution from Microsoft or the community!

You must be logged in to reply to this topic.