Skip to content

GitLab

Switch branch/tag
Find file Normal viewHistoryPermalink
Readme.md 2.99 KB
Newer Older
liming6's avatar
init commit  
liming6 committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 
# readme

sshd-tool用于收集sshd的日志,过滤出用户的登录和退出ssh信息

依赖:

- sshd
- rsyslog

工作流程:

配置sshd和rsyslog,将sshd日志转发到机器上的一个unix socket或者远端的tcp或udp

sshd-tool监听这个unix socket,过滤出需要的信息

除此之外,sshd-tool需要解析各个系统用户家目录下的.ssh/authorized_keys文件的内容

最终,sshd-tool提供查询服务
liming6's avatar
feature 基础代码  
liming6 committed
20
21
22
23
24 
## todo

- 适配ubuntu系统,对于Ubuntu,系统who -u中的pid是ssh日志中pid的子进程,需要处理一下
- 能查询出以前的,没有被sshd-tool记录的在线情况
liming6's avatar
feature 添加快速查找子进程的功能  
liming6 committed
25
26
27
28 
## 注意

- sftp登录在sshd日志里有记录,而who -u的输出是没有记录的
- who -u的输出里,可能有多个pid相同的数据,那是同一个ssh连接的多个虚拟终端,由于没有登录动作,所以sshd日志里没有对应的日志条目
liming6's avatar
feature 修改策略:使用sftp日志跟踪sftp上传文件动作  
liming6 committed
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58 

## auditd日志分析

tabby上传文件成功:

```
open(at) pid: 35286, ppid: 35262, open /tmp/navicat17_premium_lite_cs_x64.exe.tabby-upload, fd: 4 
-----
close pid: 35286, ppid: 35262, fd: 4 
-----
link(at): paths: [map[cap_fe:0 cap_fi:0 cap_fp:0 cap_frootid:0 cap_fver:0 dev:fc:00 inode:8126469 item:0 mode:0100644 name:/tmp/navicat17_premium_lite_cs_x64.exe.tabby-upload nametype:NORMAL ogid:0 ouid:0 rdev:00:00] map[cap_fe:0 cap_fi:0 cap_fp:0 cap_frootid:0 cap_fver:0 dev:fc:00 inode:8126465 item:1 mode:041777 name:/tmp/ nametype:PARENT ogid:0 ouid:0 rdev:00:00] map[cap_fe:0 cap_fi:0 cap_fp:0 cap_frootid:0 cap_fver:0 dev:fc:00 inode:8126469 item:2 mode:0100644 name:/tmp/navicat17_premium_lite_cs_x64.exe nametype:CREATE ogid:0 ouid:0 rdev:00:00]]
-----
unlink(at): paths: [map[cap_fe:0 cap_fi:0 cap_fp:0 cap_frootid:0 cap_fver:0 dev:fc:00 inode:8126465 item:0 mode:041777 name:/tmp/ nametype:PARENT ogid:0 ouid:0 rdev:00:00] map[cap_fe:0 cap_fi:0 cap_fp:0 cap_frootid:0 cap_fver:0 dev:fc:00 inode:8126469 item:1 mode:0100644 name:/tmp/navicat17_premium_lite_cs_x64.exe.tabby-upload nametype:DELETE ogid:0 ouid:0 rdev:00:00]]
-----
close pid: 35286, ppid: 35262, fd: 4 
```

tabby创建文件后中断

```
open(at) pid: 35286, ppid: 35262, open /tmp/Rocky-8.10-x86_64-dvd1.iso.tabby-upload, fd: 4 
-----
unlink(at): paths: [map[cap_fe:0 cap_fi:0 cap_fp:0 cap_frootid:0 cap_fver:0 dev:fc:00 inode:8126465 item:0 mode:041777 name:/tmp/ nametype:PARENT ogid:0 ouid:0 rdev:00:00] map[cap_fe:0 cap_fi:0 cap_fp:0 cap_frootid:0 cap_fver:0 dev:fc:00 inode:8126470 item:1 mode:0100644 name:/tmp/Rocky-8.10-x86_64-dvd1.iso.tabby-upload nametype:DELETE ogid:0 ouid:0 rdev:00:00]]
```

```
open(at) pid: 35286, ppid: 35262, open /tmp/AnolisOS-8.6-x86_64-dvd.iso.tabby-upload, fd: 5 
-----
unlink(at): paths: [map[cap_fe:0 cap_fi:0 cap_fp:0 cap_frootid:0 cap_fver:0 dev:fc:00 inode:8126465 item:0 mode:041777 name:/tmp/ nametype:PARENT ogid:0 ouid:0 rdev:00:00] map[cap_fe:0 cap_fi:0 cap_fp:0 cap_frootid:0 cap_fver:0 dev:fc:00 inode:8126471 item:1 mode:0100644 name:/tmp/AnolisOS-8.6-x86_64-dvd.iso.tabby-upload nametype:DELETE ogid:0 ouid:0 rdev:00:00]]
```