Skip to content

The ContainerSSH Audit Log Format, version 1 (draft)

The ContainerSSH audit log is stored in CBOR + GZIP format. You will first need to decode the GZIP container and then the CBOR format.

Note

We provide a Go library to decode the audit log format. Check out the details on GitHub.

The main element of the CBOR container is an array of messages where each message has the following format:

Message {
    ConnectionID []byte # opaque binary value
                        # that uniquely identifies the connection

    Timestamp    int64  # nanosecond timestamp when this message happened

    MessageType  int32  # message type identifier (see below)

    Payload      map    # Map of details. See payload structure below

    ChannelID    int64  # Channel identifier.
                        # -1 if the message is not related to a channel
}

The audit log protocol has the following message types at this time:

Message type ID Name Description Payload type
0 Connect TCP connection established PayloadConnect
1 Disconnect TCP connection closed none
100 AuthPassword Password authentication attempt PayloadAuthPassword
101 AuthPasswordSuccessful Successful password authentication PayloadAuthPassword
102 AuthPasswordFailed Failed password authentication PayloadAuthPassword
103 AuthPasswordBackendError Backend failed to respond PayloadAuthPasswordBackendError
104 AuthPubKey Public key authentication attempt PayloadAuthPubKey
105 AuthPubKeySuccessful Successful public key authentication PayloadAuthPubKey
106 AuthPubKeyFailed Failed public key authentication PayloadAuthPubKey
107 AuthPubKeyBackendError Backend failed to respond PayloadAuthPubKeyBackendError
200 GlobalRequestUnknown Unknown global request received PayloadGlobalRequestUnknown
300 NewChannel Requesting a new SSH channel PayloadNewChannel
301 NewChannelSuccessful New SSH channel successful PayloadNewChannelSuccessful
302 NewChannelFailed New SSH channel failed PayloadNewChannelFailed
400 ChannelRequestUnknownType A channel request of unknown type PayloadChannelRequestUnknownType
401 ChannelRequestDecodeFailed An invalid request payload was received PayloadChannelRequestDecodeFailed
402 ChannelRequestSetEnv An environment variable was requested PayloadChannelRequestSetEnv
403 ChannelRequestExec A program execution was requested PayloadChannelRequestExec
404 ChannelRequestPty An interactive terminal was requested PayloadChannelRequestPty
405 ChannelRequestShell A shell was requested none
406 ChannelRequestSignal A signal was sent PayloadChannelRequestSignal
407 ChannelRequestSubsystem A subsystem (e.g. SFTP) was requested PayloadChannelRequestSubsystem
408 ChannelRequestWindow Window size change PayloadChannelRequestWindow
499 ChannelExit The program running has exited PayloadExit
500 Channel I/O I/O event PayloadIO
501 RequestFailed A global or channel request has failed PayloadRequestFailed

Note

When writing a decoder, your decoder should ignore unknown fields and message codes as the format may be extended to accommodate new ContainerSSH features.

PayloadConnect

PayloadConnect {
    RemoteAddr string  # IP address of the connecting party 
}

PayloadAuthPassword

PayloadAuthPassword {
    Username string
    Password []byte  # Password can contain special characters, so it's a byte array
}

PayloadAuthPasswordBackendError

PayloadAuthPasswordBackendError {
    Username string
    Password []byte  # Password can contain special characters, so it's a byte array
    Reason   string
}

PayloadAuthPubKey

PayloadAuthPassword {
    Username string
    Key      []byte  # Public key in OpenSSH wire format
}

PayloadAuthPubKeyBackendError

PayloadAuthPasswordBackendError {
    Username string
    Key      []byte  # Public key in OpenSSH wire format
    Reason   string
}

PayloadGlobalRequestUnknown

PayloadGlobalRequestUnknown {
    ChannelType string
}

PayloadNewChannel

PayloadNewChannel {
    ChannelType string
}

PayloadNewChannelSuccessful

PayloadNewChannelSuccessful {
    ChannelType string
}

PayloadNewChannelFailed

PayloadNewChannelFailed {
    ChannelType string
    Reason      string  # Freeform message for channel request failure.
                        # Do not rely on this text.
}

PayloadChannelRequestUnknownType

PayloadChannelRequestUnknownType {
    RequestID   uint64
    RequestType string
    Payload     []byte
}

PayloadChannelRequestDecodeFailed

PayloadChannelRequestDecodeFailed {
    RequestID   uint64
    RequestType string
    Payload     []byte
    Reason      string  # Freeform reason message.
                        # Do not rely on this text, it may change between versions.
}

PayloadChannelRequestSetEnv

PayloadChannelRequestSetEnv {
    RequestID uint64
    Name      string
    Value     string
}

PayloadChannelRequestExec

PayloadChannelRequestExec {
    RequestID uint64
    Program   string
}

PayloadChannelRequestPty

PayloadChannelRequestPty {
    RequestID uint64
    Term      string
    Columns   uint32
    Rows      uint32
    Width     uint32
    Height    uint32
    ModeList  []byte
}

PayloadChannelRequestSignal

PayloadChannelRequestSignal {
    RequestID uint64
    Signal    string
}

PayloadChannelRequestSubsystem

PayloadChannelRequestSubsystem {
    RequestID uint64
    Subsystem string
}

PayloadChannelRequestWindow

PayloadChannelRequestWindow {
    RequestID uint64
    Columns   uint32
    Rows      uint32
    Width     uint32
    Height    uint32
}

PayloadIO

PayloadIO {
    Stream uint # 0=stdin, 1=stdout, 2=stderr
    Data   []byte
}

PayloadRequestFailed

PayloadRequestFailed {
    RequestID uint64
    Reason    string
}