Lnxgeek.org Wiki - Freedom of choice, I choose Freedom

User Tools

Site Tools

You are here: start » howtos » ssh-su_trap
howtos:ssh-su_trap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Last revisionBoth sides next revision
howtos:ssh-su_trap [27/04/2024 17:56] – created domingohowtos:ssh-su_trap [27/04/2024 18:03] domingo
Line 3: Line 3:
  
 The idea is that someone can either "su" into your account (like root or someone with root privs) or ssh with your credentials then it pics it up and send a mail. The idea is that someone can either "su" into your account (like root or someone with root privs) or ssh with your credentials then it pics it up and send a mail.
 +
 +This idea was created by @freebsdfrau (https://twitter.com/freebsdfrau/)
  
 Place the script in the file "~/.bash_profile". Place the script in the file "~/.bash_profile".
Line 8: Line 10:
 <code> <code>
 ME="example@example.com"       # Set your email address here. ME="example@example.com"       # Set your email address here.
-BASTION="10.10.1.1"           # Space-separated list of trusted host IPs.+BASTION="10.10.1.1 192.168.7.6          # Space-separated list of trusted host IPs.
  
 # Function to send email # Function to send email
Line 63: Line 65:
   # If not an SSH session, check for unexpected 'su' command usage.   # If not an SSH session, check for unexpected 'su' command usage.
   # The awk command parses the process list for the 'su' command.   # The awk command parses the process list for the 'su' command.
 +  # The following awk script is designed to parse the output of 'ps auxwwf' to identify unexpected user changes that lead to the current shell process.
 +  # It operates as follows:
 +  #
 +  # 1. BEGIN Block:
 +  #    - Reads the first line of the input (usually headers from 'ps auxwwf') into the variable 'hdr'.
 +  #    - Stores this header line in the first index of the array 'lines'.
 +  #    - Uses the 'match()' function to find the position of the substring "COMMAND" in 'hdr', which indicates the start of the command column in the process list.
 +  #    - Stores the start position of "COMMAND" in the variable 'C' using 'RSTART', which holds the index of the first character where "COMMAND" is found.
 +  #
 +  # 2. Main Processing Block:
 +  #    - Stores each line of input in the 'lines' array, preserving the full output of 'ps auxwwf'.
 +  #
 +  # 3. Conditional Block on Field 2 (PID matching):
 +  #    - Checks if the second field (PID) of the current line matches the PID of the current shell ($$).
 +  #    - If a match is found, 'P' is set to the current line number (NR), and 'U' is set to the user running the process (field 1).
 +  #
 +  # 4. END Block:
 +  #    - Iterates backward from the line identified by 'P' (where the current shell PID was found) to trace the process hierarchy.
 +  #    - Checks each line by comparing the starting user of the command against the user 'U'. If a line with a different user is found:
 +  #      - If the new user is 'root', updates 'U' to 'root' and continues (to track who elevated to root).
 +  #      - If the new user is not 'root', sets 'found' to 1 and breaks the loop to capture this transition.
 +  #    - Stops the loop if the line doesn't begin with a space (indicating a shift in the process hierarchy or reaching the top).
 +  #    - Prints the last user encountered in this trace (either the non-root user that was found or 'root' if the escalation chain didn't lead to a non-root user).
 +  #
 +  # This script helps in detecting privilege escalations and user context switches that are not initiated by the logged-in user, potentially indicating unauthorized actions or security breaches.
 +
   SU_USER=$(ps auxwwf | awk -v pid=$$ '   SU_USER=$(ps auxwwf | awk -v pid=$$ '
     BEGIN {     BEGIN {
Line 102: Line 130:
   fi   fi
 fi fi
 +
 </code> </code>
howtos/ssh-su_trap.txt · Last modified: 27/04/2024 18:06 by domingo