summaryrefslogtreecommitdiffhomepage
path: root/control/controlhttp/controlhttpserver/controlhttpserver.go
diff options
context:
space:
mode:
authorJames Tucker <james@tailscale.com>2026-01-05 15:18:23 -0800
committerJames Tucker <jftucker@gmail.com>2026-01-05 16:53:05 -0800
commit39a61888b8b39f443c9a97a66ab538ff011f4e36 (patch)
tree669d14e79af40b70572da9fe9b6b9d7ee6350851 /control/controlhttp/controlhttpserver/controlhttpserver.go
parentb7081522e7b90468468b037449ce7c7f9b357e52 (diff)
downloadtailscale-39a61888b8b39f443c9a97a66ab538ff011f4e36.tar.xz
tailscale-39a61888b8b39f443c9a97a66ab538ff011f4e36.zip
ssh/tailssh: send audit messages on SSH login (Linux)
Send LOGIN audit messages to the kernel audit subsystem on Linux when users successfully authenticate to Tailscale SSH. This provides administrators with audit trail integration via auditd or journald, recording details about both the Tailscale user (whois) and the mapped local user account. The implementation uses raw netlink sockets to send AUDIT_USER_LOGIN messages to the kernel audit subsystem. It requires CAP_AUDIT_WRITE capability, which is checked at runtime. If the capability is not present, audit logging is silently skipped. Audit messages are sent to the kernel (pid 0) and consumed by either auditd (written to /var/log/audit/audit.log) or journald (available via journalctl _TRANSPORT=audit), depending on system configuration. Note: This may result in duplicate messages on a system where auditd/journald audit logs are enabled and the system has and supports `login -h`. Sadly Linux login code paths are still an inconsistent wild west so we accept the potential duplication rather than trying to avoid it. Fixes #18332 Signed-off-by: James Tucker <james@tailscale.com>
Diffstat (limited to 'control/controlhttp/controlhttpserver/controlhttpserver.go')
0 files changed, 0 insertions, 0 deletions