PowerShell · tgauth · May 20, 2025 · May 20, 2025 · Jun 5, 2025 · Jun 5, 2025
diff --git a/regress/pesterTests/EventLogging.Tests.ps1 b/regress/pesterTests/EventLogging.Tests.ps1
@@ -0,0 +1,175 @@
+If ($PSVersiontable.PSVersion.Major -le 2) {$PSScriptRoot = Split-Path -Parent $MyInvocation.MyCommand.Path}
+Import-Module $PSScriptRoot\CommonUtils.psm1 -Force
+Import-Module OpenSSHUtils -Force
+$tC = 1
+$tI = 0
+$suite = "EventLogging"
+Describe "Tests for admin and non-admin event logs" -Tags "CI" {
+    BeforeAll {
+        if($OpenSSHTestInfo -eq $null)
+        {
+            Throw "`$OpenSSHTestInfo is null. Please run Set-OpenSSHTestEnvironment to set test environments."
+        }
+
+        $testDir = "$($OpenSSHTestInfo["TestDataPath"])\$suite"
+        if( -not (Test-path $testDir -PathType Container))
+        {
+            $null = New-Item $testDir -ItemType directory -Force -ErrorAction SilentlyContinue
+        }
+
+        $server = $OpenSSHTestInfo["Target"]
+        $nonadminusername = $OpenSSHTestInfo['NonAdminUser']
+        $adminusername = $OpenSSHTestInfo['AdminUser']
+        $opensshbinpath = $OpenSSHTestInfo['OpenSSHBinPath']
+        $password = $OpenSSHTestInfo['TestAccountPW']
+        $port = 47003
+        $sshdDelay = $OpenSSHTestInfo["DelayTime"]
+
+        # Register OpenSSH events in Event Viewer
+        $etwman = Join-Path $opensshbinpath "openssh-events.man"
+        if (-not (Test-Path $etwman -PathType Leaf)) {
+            throw "openssh events manifest is not present in OpenSSH binary path"
+        }
+        wevtutil im "$etwman" | Out-Null
+    }
+
+    AfterEach { $tI++ }
+
+    AfterAll {
+        # Unregister etw provider
+        wevtutil um "$etwman"
+    }
+
+    Context "Tests Logs for SSH connections" {
+        BeforeAll {
+            Add-PasswordSetting -Pass $password
+            $tI=1
+        }
+
+        BeforeEach {
+            wevtutil sl "OpenSSH/Debug" /e:false /q:true | Out-Null
+            wevtutil cl "OpenSSH/Debug" | Out-Null
+            wevtutil sl "OpenSSH/Debug" /e:true /q:true | Out-Null
+            wevtutil sl "OpenSSH/Operational" /e:false /q:true | Out-Null
+            wevtutil cl "OpenSSH/Operational" | Out-Null
+            wevtutil sl "OpenSSH/Operational" /e:true /q:true | Out-Null
+        }
+
+        AfterAll {
+            Remove-PasswordSetting
+            $tC++
+        }
+
+        It "$tC.$tI-Nonadmin SSH Connection" {
+            $o = ssh -l $nonadminusername test_target echo 1234
+            $o | Should Be 1234
+            Start-Sleep $sshdDelay
+            $eventLogDebug = wevtutil qe "OpenSSH/Debug" /c:5 /f:text
+            $eventLogDebug | Should Not Be $null
+            $eventLogOperational = wevtutil qe "OpenSSH/Operational" /c:5 /f:text
+            $eventLogOperational | Should Not Be $null
+        }
+
+        It "$tC.$tI-Admin SSH Connection" {
+            $o = ssh -l $adminusername test_target echo 1234
+            $o | Should Be 1234
+            Start-Sleep $sshdDelay
+            $eventLogDebug = wevtutil qe "OpenSSH/Debug" /c:5 /f:text
+            $eventLogDebug | Should Not Be $null
+            $eventLogOperational = wevtutil qe "OpenSSH/Operational" /c:5 /f:text
+            $eventLogOperational | Should Not Be $null
+        }
+    }
+
+    Context "Tests Logs for SFTP connections" {
+
+        BeforeAll {
+
+            function Setup-KeyBasedAuth
+            {
+                param([string] $Username, [string] $KeyFilePath, [string] $UserProfile)
+
+                $userSSHProfilePath = Join-Path $UserProfile .ssh
+
+                if (-not (Test-Path $userSSHProfilePath -PathType Container)) {
+                    New-Item $userSSHProfilePath -ItemType directory -Force -ErrorAction Stop | Out-Null
+                }
+
+                $authorizedkeyPath = Join-Path $userSSHProfilePath authorized_keys
+
+                if($OpenSSHTestInfo["NoLibreSSL"])
+                {
+                    ssh-keygen.exe -t ed25519 -f $KeyFilePath -Z -P "" aes128-ctr
+                }
+                else
+                {
+                    ssh-keygen.exe -t ed25519 -f $KeyFilePath -P ""
+                }
+                Copy-Item "$KeyFilePath.pub" $authorizedkeyPath -Force -ErrorAction SilentlyContinue
+                Repair-AuthorizedKeyPermission -Filepath $authorizedkeyPath -confirm:$false
+            }
+
+            $AdminUserProfile = $OpenSSHTestInfo['AdminUserProfile']
+            $NonAdminUserProfile = $OpenSSHTestInfo['NonAdminUserProfile']
+
+            $KeyFileName = $nonadminusername + "_sshtest_EventLog_ed25519"
+            $NonadminKeyFilePath = Join-Path $testDir $keyFileName
+            Remove-Item -path "$NonadminKeyFilePath*" -Force -ErrorAction SilentlyContinue
+            Setup-KeyBasedAuth -Username $nonadminusername -KeyFilePath $NonadminKeyFilePath -UserProfile $NonAdminUserProfile
+
+            $KeyFileName = $adminusername + "_sshtest_EventLog_ed25519"
+            $AdminKeyFilePath = Join-Path $testDir $keyFileName
+            Remove-Item -path "$AdminKeyFilePath*" -Force -ErrorAction SilentlyContinue
+            Setup-KeyBasedAuth -Username $adminusername -KeyFilePath $AdminKeyFilePath -UserProfile $AdminUserProfile
+
+            #create batch file
+            $commands =
+"ls
+exit"
+            $batchFilePath = Join-Path $testDir "$tC.$tI.commands.txt"
+            Set-Content $batchFilePath -Encoding UTF8 -value $commands
+
+            $tI = 1
+        }
+
+        BeforeEach {
+            wevtutil sl "OpenSSH/Debug" /e:false /q:true | Out-Null
+            wevtutil cl "OpenSSH/Debug" | Out-Null
+            wevtutil sl "OpenSSH/Debug" /e:true /q:true | Out-Null
+            wevtutil sl "OpenSSH/Operational" /e:false /q:true | Out-Null
+            wevtutil cl "OpenSSH/Operational" | Out-Null
+            wevtutil sl "OpenSSH/Operational" /e:true /q:true | Out-Null
+        }
+
+        AfterAll {
+            Remove-Item -path "$NonadminKeyFilePath*" -Force -ErrorAction SilentlyContinue
+            Remove-Item -path "$AdminKeyFilePath*" -Force -ErrorAction SilentlyContinue
+
+            $authorized_key = Join-Path '.ssh' authorized_keys
+            $AdminAuthKeysPath = Join-Path $AdminUserProfile $authorized_key
+            $NonAdminAuthKeysPath = Join-Path $NonAdminUserProfile $authorized_key
+            Remove-Item -path "$AdminAuthKeysPath*" -Force -ErrorAction SilentlyContinue
+            Remove-Item -path "$NonAdminAuthKeysPath*" -Force -ErrorAction SilentlyContinue
+
+            $tC++
+        }
+
+        It "$tC.$tI-Nonadmin SFTP Connection" {
+            sftp -i $NonadminKeyFilePath -b $batchFilePath -o User=$nonadminusername test_target
+            Start-Sleep $sshdDelay
+            $eventLogDebug = wevtutil qe "OpenSSH/Debug" /c:5 /f:text
+            $eventLogDebug | Should Not Be $null
+            $eventLogOperational = wevtutil qe "OpenSSH/Operational" /c:5 /f:text
+            $eventLogOperational | Should Not Be $null
+        }
+
+        It "$tC.$tI-Admin SFTP Connection" {
+            sftp -i $AdminKeyFilePath -b $batchFilePath -o User=$adminusername test_target
+            Start-Sleep $sshdDelay
+            $eventLogDebug = wevtutil qe "OpenSSH/Debug" /c:5 /f:text
+            $eventLogDebug | Should Not Be $null
+            $eventLogOperational = wevtutil qe "OpenSSH/Operational" /c:5 /f:text
+            $eventLogOperational | Should Not Be $null
+        }
+    }
+}