Steampipe unbundled →
Steampipe Hub 
Hub
Plugins
turbot/tailscale
Overview
7Tables
Versions
PowerpipeMods
GitHub
steampipe plugin install tailscale

Table: tailscale_acl_ssh - Query Tailscale ACL SSH using SQL

Tailscale Access Control Lists (ACLs) are a crucial part of Tailscale's security model, allowing you to specify who can connect to what. ACLs for SSH provide granular control over SSH access to devices on your Tailscale network. It is a powerful tool to ensure only authorized users can access specific resources.

Table Usage Guide

The tailscale_acl_ssh table provides insights into the ACLs related to SSH within Tailscale. As a network administrator or security officer, explore ACL-specific details through this table, including permissions, associated devices, and user access. Utilize it to uncover information about ACLs, such as those with unrestricted access, the relationships between ACLs and devices, and the verification of user access.

Examples

Basic info

Explore the actions and associated users within a network to understand the flow of data from its source to its destination. This can help in assessing the network's configuration and identifying any unusual patterns or inconsistencies.

select
  action,
  users,
  source,
  destination,
  check_period,
  tailnet_name
from
  tailscale_acl_ssh;
select
  action,
  users,
  source,
  destination,
  check_period,
  tailnet_name
from
  tailscale_acl_ssh;

Users who cannot connect to their own devices

Determine the areas in which users are unable to connect to their own devices. This query can help identify potential network issues or security breaches, providing valuable insights for troubleshooting and risk management.

with ssh_tas as (
  select
    action,
    users,
    src,
    dst,
    tailnet_name
  from
    tailscale_acl_ssh as tas,
    jsonb_array_elements_text(source) as src,
    jsonb_array_elements_text(destination) as dst
  where
    action <> 'check'
    or src <> 'autogroup:members'
    or dst <> 'autogroup:self'
)
select
  distinct(td.name) as device_name,
  td.user,
  td.id
from
  tailscale_device as td
  join ssh_tas on ssh_tas.tailnet_name = td.tailnet_name;
with ssh_tas as (
  select
    action,
    users,
    src,
    dst,
    tailnet_name
  from
    tailscale_acl_ssh as tas,
    json_each(source) as src,
    json_each(destination) as dst
  where
    action <> 'check'
    or src.value <> 'autogroup:members'
    or dst.value <> 'autogroup:self'
)
select
  distinct(td.name) as device_name,
  td.user,
  td.id
from
  tailscale_device as td
  join ssh_tas on ssh_tas.tailnet_name = td.tailnet_name;

Users who are a direct member (not a shared user) of the tailnet

Determine the areas in which users are directly linked to a specific network, not as shared users, but as primary members. This is useful for identifying potential network vulnerabilities and ensuring proper access control.

with ssh_tas as (
  select
    action,
    users,
    src,
    dst,
    tailnet_name
  from
    tailscale_acl_ssh as tas,
    jsonb_array_elements_text(source) as src,
    jsonb_array_elements_text(destination) as dst
  where
    src = 'autogroup:members'
)
select
  td.user,
  td.name as device_name,
  td.id
from
  tailscale_device as td
  join ssh_tas on ssh_tas.tailnet_name = td.tailnet_name;
with ssh_tas as (
  select
    action,
    users,
    src,
    dst,
    tailnet_name
  from
    tailscale_acl_ssh as tas,
    json_each(source) as src,
    json_each(destination) as dst
  where
    src.value = 'autogroup:members'
)
select
  td.user,
  td.name as device_name,
  td.id
from
  tailscale_device as td
  join ssh_tas on ssh_tas.tailnet_name = td.tailnet_name;

Users who have the check period disabled

Explore which users have disabled the check period in their settings, allowing them to accept actions without regular checks. This can be useful in understanding potential security risks or compliance issues within your network.

select
  tas.users,
  tas.action
from
  tailscale_acl_ssh as tas
  join tailscale_tailnet as tt on tas.tailnet_name = tt.tailnet_name
  and action = 'accept'
  and check_period is null;
select
  tas.users,
  tas.action
from
  tailscale_acl_ssh as tas
  join tailscale_tailnet as tt on tas.tailnet_name = tt.tailnet_name
  and action = 'accept'
  and check_period is null;

Schema for tailscale_acl_ssh

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form, e.g. connection_name.
actiontextAction defined for a device or a network.
check_periodtextThe time period for which the connection remains in check mode.
destinationjsonbThe list of destination IP addresses for the connection.
sourcejsonbThe list of source IP addresses for the connection.
tailnet_nametextThe name of your tailnet.
usersjsonbThe list of users to apply an action on.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- tailscale

You can pass the configuration to the command with the --config argument:

steampipe_export_tailscale --config '<your_config>' tailscale_acl_ssh