Advanced Spy - New Module

Asterisk offers two ways to spy/barge/whisper on active calls. ChanSpy which allows you to spy on channels (PJSIP/100, IAX/100, Local/100) and ExtenSpy which allows you to spy based on ext@context (100@from-internal). These are widely used functions in call centers and other agent based scenarios.

FreePBX’s currently only uses ChanSpy and the implementation is as basic as it comes. It allows any users to spy on any active call and in a lot of use cases, this can be problematic. The lack of restrictions and configuration of ChanSpy have recently left FreePBX users with a bad taste in their mouth. I have started to work on a module that will address these concerns.

I am hoping that in the next couple of weeks it will be ready for late alpha/early beta testing. It currently will provide the following functionality (quick run down):

• It will disable the 555 ChanSpy feature code used by default in FreePBX and replace it.
• Multiple Spy Codes (feature codes). This will allow for more than one feature code to initiate spying. Allowing for each Spy Code to have its own feature set.
• Choose whether the Spy Code is ChanSpy (default) or ExtenSpy
• It will allow for an authentication PIN to be set. This will require any user to provide the PIN in order to spy.
• It will allow you to configure which options are available such as Barge, Whisper, Private Whisper, etc.
• Extension Restrictions - restrict which extensions can be spied on.
• Spier Restrictions - restrict which users can use the Spy Code.
• Spy Groups - Create Spy Groups, add extensions to the Spy Group and restrict Spying to one or more groups. If the extension is not in one of the groups, it can’t be spied on.
• Spy Recordings - Allow for the recording of channels/extensions being spied on. May not be in the initial release as I feel there should be an interface to view/listen to said recordings.

Any suggestions or thoughts are welcomed.

Merely the ability to create groups with permissions - who can spy on whom, essentially - would be a huge benefit.

Group HR can spy on anyone except Executive group.
Group Management can spy on Call center group only.

Stuff like that. I’ve been using some dialplan that @lgaetz wrote a few years ago and just adding onto that to get the functionality I need but I’d be very interested in testing this module out.

I know there are some that have hacked their way around this but I figured it would be better to allow it for those who can’t.

Little progress update share…still got a bit to go but getting there.

advspy_grid2760×378 33.5 KB

advspy_edit2722×872 138 KB

@penguinpbx What’s the turn around time on getting key signing completed once the form and key has been submitted?

IDK on time, but thanks for sharing the updates.

This is great! Thank you.

Can you please inquire?

Just FYI, Kapil got me going but we found an issue during the process that’s going to require some document updates. They made a change to stop DoS of fake keys so now you doing the refresh or receive after the key has been signed won’t show any updates. Performing either:

gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys <your-key> or gpg --keyserver hkp://keyserver.ubuntu.com:80 --refresh-key will not result in Updated: 1 as documented now. The key won’t be pulled.

There needs to be a modification to gpg.conf (which in most cases doesn’t exist so it needs to be created). So you will need to edit/create ${GNUPGHOME:-$HOME/.gnupg}/gpg.conf and add this line: keyserver-options no-self-sigs-only,no-import-clean

Again these two steps are needed:

1. Edit/Add ${GNUPGHOME:-$HOME/.gnupg}/gpg.conf
2. Add this line: keyserver-options no-self-sigs-only,no-import-clean

Once that is done, the refresh and recv-keys options will show the changes as well as --show-sigs.

Thanks @kgupta !

Do you have a link with more information ?

Was your key signed ?

https://security.stackexchange.com/questions/219844/why-is-debian-not-showing-the-gpg-signatures-on-keys-that-arch-linux-is/219851#219851

Yes, it was showing signed here but it wouldn’t update on my system. Once I added line to gpg.conf I was able to update on my system.

Key signing issue aside for a moment… except for asking what/where is this code that is being signed (GitHub link ?) then on to some of the content:

List ? Range ? Pattern ?

Would these be part of User Group Management Module ?

The use of the word Spy to refer to the target of the spying was hard to grok.

It’s not up yet as I’m still in development phase. It will be on Github when it is ready for public testing soon. Which is why I wanted my key signing out of the way.

A list.

Not at this time. Extensions do not have to be associated with a user and vice versa so putting this in User Manager requires an association to exist. At best I would hook into the extension settings.

I don’t know what that means or how it applies.

In common language, spies track targets. But, in your module, it sounds like “Spy Groups” will not be a group of spies; instead, “Spy Groups” are a group of targets, correct ? If so, then perhaps “Target Groups” would be more accurate of a label – not to replace “Spy Groups” however, you might consider both, along the lines of @adell4444’s points. Something more like:

In my module, Spy Groups comes from the SPYGROUP variable that must be set on the channel such as Set(SPYGROUP=support).

The last screenshoots don’t show the “Add Group” option where you can create a group and assign extensions to it.

In the final stretch in alpha testing. I’m guessing by the end of the week I’ll have this ready for use. Need to do some final testing on what I can and get everything ready and up on Github.

The first release will be 100% beta and will need some testing done in real scenarios, I can only have so many calls with myself for the testing.

Notice the Event Log and Generate Hint options. You will be able log spy actions to the CEL. It will capture who the spier was, when they started spying, the spy code used. Can’t capture DTMF and different channels spied-on (that does get captured in the full log) but when the spier hangs up it will capture the end time and the last channel spied on.

As well, it you will be able to generate a BLF hint that you can monitor to see when a specific spy code has been activated.

Spy Code

screencapture-fpbx17-dev-aminetwork-biz-admin-config-php-2025-05-13-12_54_172712×2402 506 KB

Spy Target Group

screencapture-fpbx17-dev-aminetwork-biz-admin-config-php-2025-05-13-12_56_442712×1316 237 KB

Hooking into the Advanced tab in Extensions

SCR-20250513-ide2528×206 39.3 KB

Excited to run through testing of this as well.

@kgupta @penguinpbx It appears I can’t sign my module per the documents.

gpg: error reading key: No public key
gpg: key B53D215A755231A3: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
Wasn't able to find a valid key. Sorry

UPDATE: This can be disregarded. Thanks to @billsimon for the tip, just needed to add my full key at the end of the command. Now it signs without issue and passes signature checks.

Assumed earlier that these will be exposed on the Admin → Feature Codes page but not seeing screenshots of such as of yet… Will the new codes added by this module be configurable via FC page Customize/Enable/Disable options ? (Could be a layered security approach ).

Will remain patient thank you.

Who’s watching the watchers… nice.

I’ve decided to not do that because these really aren’t feature codes. This is more of an application thing. I have tied into the extension mapping so that conflict/existing checks are done.