gbucchino/ssh-trace
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
master
ssh-trace/README.md
geoffrey 9ae8e28a20 Fix readme
2025-01-03 16:01:18 +01:00

54 lines
2.7 KiB
Markdown
Raw Permalink Blame History

# Introduction
Nowadays, with the increase of numbers of servers in an infrastructure, it's important to trace all users activities for investigating when a suspicious activity has been detected. This project is borned for resolving that issue, which trace all user connected through SSH and the outcome is print to the stdout or to a file in rsyslog format.
The program detect all commands executed in the system from a user connected and the result is print into the terminal, the program has an advantage for detection any privilege escalations when the user switch to another one, and the program show to us the initial user connected with the username and the user who executed the command. The diagram below show us an example:
![Example](example.png)
# Installation
# Supported platforms
The program is based on [eBPF](https://ebpf.io/). It's a technology for developping a program which is loaded into the Kernel for security, networking and tracing all event in the kernel. This program has been tested on these systems:
| System | Architecture | Version | Kernel version |
|--------|--------------|---------|----------------|
| Ubuntu | x64| 20.04| 5.15.0|
| Debian | x64| 11| 5.10.0|
## Requirements
The program is based on eBPF and developped in C language. You should install these packages if you want to generate the binary:
* bpftool
* clang-11
* libbpf-dev
* gcc gcc-multilib
# Usage
After you clone the project, you can move into it. The arboresence of the project is quite simple. You have the repository `src/` which contains all C sources and headers files and you have the Makefile for generating the binary with the command `make all`:
```
$ git clone https://gitea.bucchino.org/gbucchino/ssh-trace
$ cd ssh-trace
$ make all
```
That will generate the binary `ssh-trace` and you can execute it:
```
$ sudo ./ssh-trace
```
By default, the result is print into the stdout, but, you can export it to rsyslog file format with the parameter -f:
```
$ sudo ./ssh-trace -f ssh-trace_`$(echo date '+%F')`.log
$ cat ssh-trace_`$(echo date '+%F')`.log
Jan 03 12:21:33 ubuntu ssh-trace: <info> host=user@192.168.1.37;ppid=8516;pathname=/usr/bin/ls --color=auto -la /home/user;pid=9112
Jan 03 12:21:35 ubuntu ssh-trace: <info> host=user@192.168.1.37;ppid=8516;pathname=/usr/sbin/ip address show;pid=9113
Jan 03 12:21:37 ubuntu ssh-trace: <info> host=user@192.168.1.37;ppid=8516;pathname=/usr/bin/cat /etc/group;pid=9114
```
If you want to read more about the project, you should go to my [blog](https://www.bucchino.org/projects/sshtrace/), I made an article regarding it. Enjoy the read :).
# References
* https://developers.redhat.com/articles/2023/10/19/ebpf-application-development-beyond-basics#an_example_c_application_using_libbpf
Reference in New Issue View Git Blame Copy Permalink