This document will cover the usage of `sdm audit` subcommands in the StrongDM CLI. These command examples were completed on a macOS operating system, and using ‘jq’, which was installed using Homebrew. These commands will be relevant to a Linux OS as well, however, Windows OS will use different CLI functions and is outside the scope of this example.
Requirements for these examples:
- Install the StrongDM CLI on a local workstation.
- Install ‘jq’, a JSON parser and processor for .json data. This is required to select, filter, and search for specific fields in a structured JSON return.
Tip: Using the ‘--help’ or ‘-h’ option at the end of any ‘sdm’ command will help explain the options available for each substring prior to committing the command.
‘sdm audit’
The ‘sdm audit’ commands allow you to search for logs that have occurred as users have used StrongDM, such as sessions, queries, or simply people auditing.
NAME:
sdm audit - administrative audit commands
USAGE:
sdm audit command [command options] [arguments...]
COMMANDS:
activities extracts the activity log with optional support for following the live log
resources extract resource settings at a specific timestamp
relays extract relay settings at a specific timestamp
permissions extract user permissions at a specific timestamp
queries extracts the query log with optional support for following the live log
ssh extracts SSH captures with optional support for following the live log
rdp extracts RDP captures with optional support for following the live log
kubernetes, k8s extracts kubernetes logs with optional support for following the live log
web, http extracts web logs with optional support for following the live log
cloud extracts cloud logs with optional support for following the live log
tokens extract admin tokens listing at a specific timestamp
users extract user listing at a specific timestamp
roles extract roles listing at a specific timestamp
OPTIONS:
--help, -h show help
'sdm audit queries”
This example demonstrates using ‘sdm audit queries’ to show queries in an organization that occurred during a specified time window.
sdm audit queries --from 2023-09-01 --to 2023-09-07 -j -e | jq
{
"timestamp": "2023-09-06T16:27:21.574029667Z",
"datasourceID": "rs-4e961234444a8def",
"datasourceName": "staging-postgres-read-only",
"userID": "a-76d7xxxxxx99e61",
"userName": "John Doe",
"rowCount": "1",
"query": "SELECT pg_backend_pid() AS pid",
"hash": "ac316ef84xxxxxxxxxxxxxxxcec20b749c0",
"uuid": "02V1xyVxxxxxxxxxyPLl1o2fS5k",
"datasource_tags": "Creator=TF,Env=demo,bot_app_res=y,team=se",
"SourceIP": "44.123.38.106:3911"
}
In this example we’ve asked the CLI to return all queries from Sept. 1st through Sept. 7th, and then output the logs in .json with the ‘-j or --json' flag. The ‘-e’ is for extended logs, and when returning all queries, pipe them into ‘jq’ for processing and human readable output. Now that the logs have been parsed with 'jq’ we can start adding additional filtering options to narrow the search to only queries with the resource name of “staging-postgres-read-only”.
sdm audit queries --from 2023-09-01 --to 2023-09-07 -j -e | jq 'select(.datasourceName | contains("staging-postgres-read-only"))'
You may want to use ‘jq’ to filter for specific commands used in the query, or perhaps all searches done by a specific user, as shown in the following examples.
sdm audit queries --from 2023-09-01 --to 2023-09-07 -j -e | jq 'select(.datasourceName | contains("staging-postgres-read-only"))' | jq 'select(.query | contains("drop table"))'
sdm audit queries --from 2023-09-01 --to 2023-09-07 -j -e | jq 'select(.datasourceName | contains("staging-postgres-read-only"))' | jq 'select(.userName | contains("John"))'
Now that you have a basic understanding of how to output query logs and process them with ‘jq’, let's continue with other examples below.
In this example we are using ‘sdm audit ssh’ to look for a list of SSH sessions that occurred during those 2 days, and specifically, looking for all SSH sessions that John did. The first return is a columnar explanation of the fields that are returned.
‘sdm audit ssh’
sdm audit ssh --from 2023-09-01 --to 2023-09-02 | grep "John"
Time,Server ID,Server Name,User ID,User Name,Duration (ms),Capture ID,Hash,Replay,Command,Remote Identity Username,Source IP
2023-09-06 16:29:56.548022424 +0000 UTC,rs-4ced2xxxxx7a8ded,staging-ssh-ubuntu-ro,a-76d7xxxxxxx99e61,John Doe,0,s2V1yHpcxxxxxxxxxaABCMArFE,1a300f2e597xxxxxxxxxx1ad650541a7,false,,,44.123.38.106:3911
2023-09-06 16:29:55.52931828 +0000 UTC,rs-4cedxxxxx7a8ded,staging-ssh-ubuntu-ro,a-76d7xxxxxxx99e61,John Doe,34969,s2V1yHpcxxxxxxxxxaDEFMArFE,7da4e830de13xxxxxxxxxx4f3af06b36d3,true,,,44.123.38.106:3911
If you wanted to replay the session that John did, you would need to gather the Replay ID and use it in another ‘sdm’ command to replay the session that occurred back in your terminal, as in the ext example:
sdm replay ssh s2V1yHpcxxxxxxxxxaABCMArFE
‘sdm audit activities’
The activities logged within StrongDM are platform specific, relating to management of StrongDM itself. You may want to search the platform for administrative activities, and you can do that with ‘sdm audit activities’. We will use ‘jq’ to search for specific entries in the log that occurred during the first week of September.
sdm audit activities --from "2023-09-01" --to "2023-09-07" -e -j | jq 'select(.activity | (contains("updated")) or contains("created") or contains("deleted"))'
{
"activity": "user deleted from role",
"actorName": "John Doe (user@strongdm.com)",
"actorUserID": "a-76d7xxxxxxxe99e61",
"description": "John Doe (user@strongdm.com) removed John Doe (user@strongdm.com) from Sales Engineers.",
"ip_address": "44.123.38.106",
"objects": [
{
"email": "",
"externalId": "",
"id": "r-504xxxxxxx781e",
"name": "Sales Engineers",
"type": "role"
},
{
"email": "user@strongdm.com",
"externalId": "00u40lxxxxxxxfsQ5d7",
"id": "a-76d7xxxxxxxe99e61",
"name": "",
"type": "user"
}
‘sdm audit users’
The users audit function is useful for finding more information about types of users in your organization. For example, in this next example we will use ‘sdm audit users’ to look for all users that are of a specific permission level, (for example, a list of all your administrators). This will also provide a list of any roles that users may have attached to them at that point in time, and other useful information.
sdm audit users -j | jq 'select(.strongRole == "admin")'
{
"id": "a-76d7xxxxxxxxx9e61",
"email": "user@strongdm.com",
"firstName": "John",
"lastName": "Doe",
"strongRole": "admin",
"roles": [
{
"id": "r-504a1xxxxxx81e",
"name": "Sales Engineers"
}
],
"remoteIdentities": [
{
"remoteIdentityGroupId": "ig-438xxxxxxx1deef",
"remoteIdentityGroupName": "default",
"username": "xxxxxxx"
}
]
}
Please visit the CLI Reference for complete documentation on how to use the CLI, as well as examples of how to use the filter/tag options.
CLI Reference