PowerShell transcripts should include the configuration name in the transcript header #2890

chunqingchen · 2016-12-15T03:39:18Z

Steps to reproduce

New-PSSessionConfigurationFile -Path .\myJeaConfig.pssc -TranscriptDirectory 'C:\temp\transcripts' -SessionType RestrictedRemoteServer
Register-PSSessionConfiguration -Name JEA -Path .\myJeaconfig.pssc
Enter-PSSession -ComputerName Localhost -ConfigurationName JEA

exit

Expected behavior

PowerShell transcripts currently do not log the configuration name the user used to connect to and manage the machine. For JEA scenarios, this means an auditor trying to understand how someone was able to do a certain command will not know through which endpoint the user entered and was assigned those privileges.

Suggestion is to add a new line to the transcript header similar to the following:

ConfigurationName: MyJEA

[…]
RunAs User: WinRM Virtual Users\WinRM VA_10_PRIV_priv.demo
Configuration Name: JEA
Machine: DC (Microsoft Windows NT 10.0.14393.0)
[…]

Actual behavior

[…]
RunAs User: WinRM Virtual Users\WinRM VA_10_PRIV_priv.demo
Machine: DC (Microsoft Windows NT 10.0.14393.0)
[…]

Environment data

Name Value

PSVersion 5.1.14993.1000
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14993.1000
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

PaulHigin · 2016-12-15T17:30:15Z

src/System.Management.Automation/engine/hostifaces/MshHostUserInterface.cs

+                string[] configurationArray =
+                    senderInfo.ConfigurationName.Split(new char[] {System.IO.Path.DirectorySeparatorChar},
+                        StringSplitOptions.RemoveEmptyEntries);
+                psConfigurationName = configurationArray[configurationArray.Length - 1];


This may be more efficient for extracting the configuration name from the Shell Uri since it only allocates one string instead of multiple string objects:

string shellPrefix = System.Management.Automation.Remoting.Client.WSManNativeApi.ResourceURIPrefix; int index = shelluri.IndexOf(shellPrefix, StringComparison.OrdinalIgnoreCase); return (index == 0) ? shelluri.Substring(shellPrefix.Length) : string.Empty; ``` #Resolved

PaulHigin · 2016-12-15T17:31:32Z

src/System.Management.Automation/engine/remoting/server/serverremotesession.cs

@@ -206,7 +206,7 @@ internal class ServerRemoteSession : RemoteSession
            {
                throw PSTraceSource.NewInvalidOperationException("RemotingErrorIdStrings.NonExistentInitialSessionStateProvider", configurationProviderId);
            }
-
+            senderInfo.ConfigurationName = configurationProviderId;


It would be better to parse the configuration name from the shellUri (configurationProcviderId) here rather than parse it each time later when a transcript header is written. #Resolved

lzybkr · 2016-12-15T18:09:40Z

src/System.Management.Automation/engine/remoting/fanin/PSPrincipal.cs

+        /// <summary>
+        /// Contains the configurationName from the sever remote session
+        /// </summary>
+        public string ConfigurationName


You should prefer auto-properties where possible. #Resolved

chunqingchen · 2016-12-17T05:01:31Z

Thanks @lzybkr, @PaulHigin ! I have incorporated the suggested change. #Resolved

PaulHigin · 2017-01-03T18:37:30Z

src/System.Management.Automation/engine/hostifaces/MshHostUserInterface.cs

@@ -463,6 +467,7 @@ private void LogTranscriptHeader(System.Management.Automation.Remoting.PSSenderI
                    DateTime.Now,
                    username,
                    runAsUser,
+                    psConfigurationName,


psConfigurationName [](start = 20, length = 19)

I believe that this cannot be null. Please make it default to empty string.

@PaulHigin , I belive this is resolved.

chunqingchen · 2017-01-11T01:25:33Z

@PaulHigin the request has been addressed.

mirichmo · 2017-01-11T16:40:33Z

@chunqingchen Please include tests in this PR

SteveL-MSFT

test needs to be added

mirichmo · 2017-02-17T00:21:16Z

@chunqingchen You need to add yourself to Microsoft on GitHub

joeyaiello · 2017-02-17T01:39:41Z

@chunqingchen I suspect you're already in the orgs, you just need to do this (for both PowerShell and Microsoft, though doing Microsoft is what will fix the CLA bot): https://help.github.com/articles/publicizing-or-hiding-organization-membership/

TravisEz13 · 2017-02-23T20:21:55Z

There are open comments that still need to be addressed. See: #2890 (comment)

TravisEz13 · 2017-03-06T21:59:29Z

We have been waiting on author response to PR comments for over a week.

There are open comments that still need to be addressed. See: #2890 (comment)

chunqingchen · 2017-03-07T23:10:00Z

working on the test now

…ranscript header

resolved

TravisEz13 · 2017-03-13T22:05:59Z

@chunqingchen Please don't dismiss (delete) other people reviews. If you believe someone review is bad enough to be dismissed, please talk to a maintainer.

chunqingchen · 2017-03-13T23:37:16Z

@TravisEz13 I meant the reviews are resolved. So dismiss is not the way to say it has been resolved. Got it.

chunqingchen · 2017-03-15T01:02:18Z

@PaulHigin Hi Paul, I talked with Travis and he agrees to merge the commit if you are fine. do you have any more comment about this change?

iSazonov · 2017-03-15T05:36:04Z