gbucchino/ssh-trace
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4 Commits 1 Branch 0 Tags 17 MiB
C 96.6%
Makefile 1.8%
Shell 1.6%
master
Go to file
geoffrey 9ae8e28a20 Fix readme
2025-01-03 16:01:18 +01:00
src First commit 2025-01-03 13:56:03 +01:00
.gitignore Remove binary 2025-01-03 15:43:55 +01:00
example.png First commit 2025-01-03 13:56:03 +01:00
exec.sh First commit 2025-01-03 13:56:03 +01:00
Makefile First commit 2025-01-03 13:56:03 +01:00
README.md Fix readme 2025-01-03 16:01:18 +01:00

README.md

Introduction

Nowadays, with the increase of numbers of servers in an infrastructure, it's important to trace all users activities for investigating when a suspicious activity has been detected. This project is borned for resolving that issue, which trace all user connected through SSH and the outcome is print to the stdout or to a file in rsyslog format.

The program detect all commands executed in the system from a user connected and the result is print into the terminal, the program has an advantage for detection any privilege escalations when the user switch to another one, and the program show to us the initial user connected with the username and the user who executed the command. The diagram below show us an example:

Example

Installation

Supported platforms

The program is based on eBPF. It's a technology for developping a program which is loaded into the Kernel for security, networking and tracing all event in the kernel. This program has been tested on these systems:

System Architecture Version Kernel version
Ubuntu x64 20.04 5.15.0
Debian x64 11 5.10.0

Requirements

The program is based on eBPF and developped in C language. You should install these packages if you want to generate the binary:

  • bpftool
  • clang-11
  • libbpf-dev
  • gcc gcc-multilib

Usage

After you clone the project, you can move into it. The arboresence of the project is quite simple. You have the repository src/ which contains all C sources and headers files and you have the Makefile for generating the binary with the command make all:

$ git clone https://gitea.bucchino.org/gbucchino/ssh-trace
$ cd ssh-trace
$ make all

That will generate the binary ssh-trace and you can execute it:

$ sudo ./ssh-trace

By default, the result is print into the stdout, but, you can export it to rsyslog file format with the parameter -f:

$ sudo ./ssh-trace -f ssh-trace_`$(echo date '+%F')`.log
$ cat ssh-trace_`$(echo date '+%F')`.log
Jan 03 12:21:33 ubuntu ssh-trace: <info> host=user@192.168.1.37;ppid=8516;pathname=/usr/bin/ls --color=auto -la /home/user;pid=9112
Jan 03 12:21:35 ubuntu ssh-trace: <info> host=user@192.168.1.37;ppid=8516;pathname=/usr/sbin/ip address show;pid=9113
Jan 03 12:21:37 ubuntu ssh-trace: <info> host=user@192.168.1.37;ppid=8516;pathname=/usr/bin/cat /etc/group;pid=9114

If you want to read more about the project, you should go to my blog, I made an article regarding it. Enjoy the read :).

References