howtos:ssh-su_trap
Differences
This shows you the differences between two versions of the page.
Last revisionBoth sides next revision | |||
howtos:ssh-su_trap [27/04/2024 17:56] – created domingo | howtos:ssh-su_trap [27/04/2024 18:03] – domingo | ||
---|---|---|---|
Line 3: | Line 3: | ||
The idea is that someone can either " | The idea is that someone can either " | ||
+ | |||
+ | This idea was created by @freebsdfrau (https:// | ||
Place the script in the file " | Place the script in the file " | ||
Line 8: | Line 10: | ||
< | < | ||
ME=" | ME=" | ||
- | BASTION=" | + | BASTION=" |
# Function to send email | # Function to send email | ||
Line 63: | Line 65: | ||
# If not an SSH session, check for unexpected ' | # If not an SSH session, check for unexpected ' | ||
# The awk command parses the process list for the ' | # The awk command parses the process list for the ' | ||
+ | # The following awk script is designed to parse the output of 'ps auxwwf' | ||
+ | # It operates as follows: | ||
+ | # | ||
+ | # 1. BEGIN Block: | ||
+ | # - Reads the first line of the input (usually headers from 'ps auxwwf' | ||
+ | # - Stores this header line in the first index of the array ' | ||
+ | # - Uses the ' | ||
+ | # - Stores the start position of " | ||
+ | # | ||
+ | # 2. Main Processing Block: | ||
+ | # - Stores each line of input in the ' | ||
+ | # | ||
+ | # 3. Conditional Block on Field 2 (PID matching): | ||
+ | # - Checks if the second field (PID) of the current line matches the PID of the current shell ($$). | ||
+ | # - If a match is found, ' | ||
+ | # | ||
+ | # 4. END Block: | ||
+ | # - Iterates backward from the line identified by ' | ||
+ | # - Checks each line by comparing the starting user of the command against the user ' | ||
+ | # - If the new user is ' | ||
+ | # - If the new user is not ' | ||
+ | # - Stops the loop if the line doesn' | ||
+ | # - Prints the last user encountered in this trace (either the non-root user that was found or ' | ||
+ | # | ||
+ | # This script helps in detecting privilege escalations and user context switches that are not initiated by the logged-in user, potentially indicating unauthorized actions or security breaches. | ||
+ | |||
SU_USER=$(ps auxwwf | awk -v pid=$$ ' | SU_USER=$(ps auxwwf | awk -v pid=$$ ' | ||
BEGIN { | BEGIN { | ||
Line 102: | Line 130: | ||
fi | fi | ||
fi | fi | ||
+ | |||
</ | </ |
howtos/ssh-su_trap.txt · Last modified: 27/04/2024 18:06 by domingo