-
Notifications
You must be signed in to change notification settings - Fork 5
sudo activity
David Hoelzer edited this page May 14, 2015
·
3 revisions
This example demonstrates how to identify interesting 'sudo' activity. Notice, too, that this moves to a more generalized approach using regular expressions to extract relevant data rather than relying on precise column positions. While you could write these in either way, the regular expression approach should allow for these types of scripts to be easily shared between sites.
def checkSu
monitoredCommands = ['passwd', '/bin/su', '/bin/bash', '/bin/sh', '/bin/csh', '/usr/bin/vi', '/usr/sbin/visudo']
timeframe = 1.hours.ago
relevant_events = Event.search("sudo: command", timeframe,0,10000000)
regex = /^.*:[0-9][0-9] .* sudo: (?<user>.*) : tty .* user = (?<became>.*) ; command = (?<command>.*)$/
puts timeframe
users=Hash.new
relevant_events.each do |event|
eventString = event.inspect.to_s
fields = eventString.match(regex)
user = fields['user']
users[user] = (users[user].nil? ? 1 : users[user] + 1) if monitoredCommands.include?(fields['command'])
end
puts users
users.each do |k,v|
criticality = 4
matching_events = Event.search("sudo: command #{k}", timeframe,0,10000000)
Alert.genericAlert(system_id: matching_events[0].system_id,
description: "#{k} used sudo to escalate privileges using monitored commands.",
short_description: "Monitored sudo activity: #{k}",
criticality: criticality,
events: matching_events)
end
end
checkSu