tking/bascule-oss
SHA256
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
bascule-oss/docs/observability.md
Tyler King 043b9b9bdc feat: bascule-shell — identity-aware shell with TPM attestation 
New crate: bascule-shell (471 lines, 1.8MB binary)
  Login shell that detects identity + platform attestation at startup.
  Wraps bash/zsh/fish — operator works normally, identity travels with them.

Identity detection (priority order):
  1. Entra via WSL2 interop
  2. Azure CLI
  3. Kerberos TGT
  4. Cached OIDC token
  5. System user (fallback)

Platform attestation:
  TPM 2.0 PCR values via tpm2_pcrread (PCRs 0,1,2,7,10,14)
  IMA measurement log hash + count
  Keylime agent state
  Entra device compliance (WSL2 only)
  Composite SHA-256 hash over all evidence

Shell features:
  Banner with identity + attestation summary
  BASCULE_* env vars injected into inner shell
  --info mode for dry-run display
  --json mode for machine-readable output
  --exec mode for single-command execution
  Configurable via ~/.config/bascule/shell.toml

Tested on Fedora with real TPM 2.0:
  6 PCRs successfully read from hardware
  All env vars propagated to inner shell
  1.8MB binary, 0 substrate deps

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 09:47:46 -04:00

2 KiB
Raw Blame History

Observability

Structured Logging

Bascule logs structured events via the tracing crate. Every log includes session context (session ID, principal, backend, source IP).

JSON format

BASCULE_LOG_FORMAT=json ./bascule --config config.toml

Output:

{"timestamp":"2026-04-04T20:30:00Z","level":"INFO","message":"Auth accepted","method":"ssh-key","principal":"tking","peer":"192.168.1.10:54321"}
{"timestamp":"2026-04-04T20:30:00Z","level":"INFO","message":"Shell session starting","session.id":"abc-123","session.principal":"tking","session.backend":"container","session.source_ip":"192.168.1.10"}

Log levels

RUST_LOG=debug ./bascule --config config.toml     # verbose
RUST_LOG=info ./bascule --config config.toml      # standard
RUST_LOG=warn ./bascule --config config.toml      # quiet
RUST_LOG=bascule=debug ./bascule --config config.toml  # debug bascule only

Key Events

Event Level When
Auth accepted INFO SSH authentication succeeds
Auth rejected WARN SSH authentication fails
Shell session starting INFO New session with backend type
Exec request INFO Non-interactive command execution
Container spawning INFO Container session starting
Upstream connected INFO Proxy session connected to target
Session ended INFO Disconnect or exit

OTel Tracing (Planned)

OpenTelemetry OTLP export is planned as an optional feature flag (--features telemetry). Not yet implemented. Session lifecycle will map to OTel spans:

session (root)
├── auth (ssh-key / agent-id)
├── backend_setup (pty / proxy / container)
└── session_active (commands, I/O)

Prometheus Metrics (Planned)

Prometheus-compatible metrics endpoint is planned as --features metrics. Not yet implemented. Planned metrics:

bascule_sessions_total{backend,auth_method,outcome}
bascule_sessions_active
bascule_session_duration_seconds{backend}
bascule_auth_attempts_total{method,outcome}