cstayyab/spy_ssh_sessions.lua

## spy_ssh_sessions.lua
-- Chisel description
description = "Track SSH Session activity";
short_description = "Track SSH SESSIONS activity";
category = "Security";

-- Chisel argument list
args =
{
	{
		name = "max_depth",
		description = "the maximum depth to show in the hierarchy of processes",
		argtype = "int",
		optional = true
	},
	{
		name = "disable_color",
		description = "Set to 'disable_colors' if you want to disable color output",
		argtype = "string",
		optional = true
	},
}

require "common"
terminal = require "ansiterminal"
terminal.enable_color(true)

MAX_ANCESTOR_NAVIGATION = 16
max_depth = -1

-- Argument notification callback
function on_set_arg(name, val)
	if name == "max_depth" then
		max_depth = parse_numeric_input(val, name)
	elseif name == "disable_color" and val == "disable_color" then
		terminal.enable_color(false)
	end

	return true
end

-- Initialize Callback
function on_init()

	sysdig.set_snaplen(2000)

	-- Request the fields needed for this chisel
	fetype = chisel.request_field("evt.type")
	fexe = chisel.request_field("proc.exe")
	fproc = chisel.request_field("proc.name")
	fargs = chisel.request_field("proc.args")
	fdir = chisel.request_field("evt.arg.path")
	fuser = chisel.request_field("user.name")
	fdtime = chisel.request_field("evt.time.s")
	fpid = chisel.request_field("proc.pid")
	fppid = chisel.request_field("proc.ppid")
	fppname = chisel.request_field("proc.pname");
	fsid = chisel.request_field("proc.sid")
	ffname = chisel.request_field("fd.name")
	ffilename = chisel.request_field("fd.filename")
	fargdata = chisel.request_field("evt.arg.data")
	fapid = chisel.request_field("proc.apid[2]")
	fanames = {}
	fapids = {}
	sfilter = "(fd.name startswith /run/systemd/sessions/ and not fd.filename startswith \".#\" and not fd.filename startswith c and evt.arg.data contains \"REMOTE=1\")"
	bfilter = "(evt.type=execve)"
	cfilter = "(((evt.type=execve and evt.dir=<) or (evt.type=chdir and evt.dir=< and proc.name contains sh and not proc.name contains sshd)) and evt.failed=false)"
	chisel.set_filter(sfilter .. " or " .. bfilter .. " or " .. cfilter)

	for j = 0, MAX_ANCESTOR_NAVIGATION do
		fanames[j] = chisel.request_field("proc.aname[" .. j .. "]")
		fapids[j] = chisel.request_field("proc.apid[" .. j .. "]")
	end

	return true
end

process_tree = {}
sessions = {}
files = {}


function table.print(t)
	print("{\n")
	for k,v in pairs(t) do
		print(k .. " : " .. v .. "\n")
	end
	print("}\n")
end


-- Event parsing callback
function on_event()
	local color = ""

	local etype = evt.field(fetype)
	local user = evt.field(fuser)
	local dtime = evt.field(fdtime)
	local pid = evt.field(fpid)
	local ppid = evt.field(fppid)
	local ischdir = evt.field(fetype) == "chdir"
	local containername = evt.field(fcontainername)
	local containerid = evt.field(fcontainerid)
	local sid=evt.field(fsid)
	local dir=evt.field(fdir)
	local proc = evt.field(fproc)
	local fname = evt.field(ffname)
	local filename = evt.field(ffilename)
	local argdata = evt.field(fargdata)
	local exe = evt.field(fexe)
	local apid = evt.field(fapid)
	local ppname = evt.field(fppname);
	local aname
	local icorr = 1

	if(etype=="execve" and exe == "-bash" and ppname == "sshd") then
		for k,v in pairs(sessions) do
			--print(v["LEADER"] .. "  " .. apid)
			if(v["LEADER"]==tonumber(apid)) then
				sessions[k]["BASH"] = tonumber(pid)
				--print("Session " .. k .. " User=" .. v["USER"] .. " IP=" .. v["REMOTE_HOST"])
				print(terminal.red .. "New session " .. k  ..  " started for user (".. sessions[k]["USER"].. ") from IP " .. sessions[k]["REMOTE_HOST"] .. " SHELL ID: " .. sessions[k]["BASH"] .. terminal.reset)
				break
			end
		end
	else
		if (sessions[filename] == nil and tonumber(filename) ~= nil and io.open(fname,"r") ~= nil) then
			local session = get_session_attr(fname)
			sessions[filename] = session
	    --[[elseif (sessions[filename] ~= nil and tonumber(filename) ~= nil and io.open(fname,"r") ~= nil) then
			local update = get_session_attr(fname)
			if(update["STATE"]=="CLOSING")  then
				sessions[filename]=nil
				print("Session " .. filename .. " closed by user(".. update["USER"]  ..") from IP " .. update["REMOTE_HOST"] .. " SHELL ID: " .. sessions[k]["BASH"])
			end--]]

		end
	end

	-- Traking user sessions activity

	if ischdir then
		ppid = pid
		table.insert(fanames, 0, 0)
		table.insert(fapids, 0, 0)
		icorr = 0
	end

	local belongsto
	for k,v in pairs(sessions) do
		if v["BASH"]~=nil and tonumber(sid)==tonumber(v["BASH"]) then
			belongsto = v
			break
		end
	end
	local remoteip
	if belongsto~=nil then
		user=belongsto["USER"]
		remoteip=belongsto["REMOTE_HOST"]
		if not process_tree[ppid] then
			-- No parent pid in the table yet.
			-- Add one and make sure that there's a shell among the ancestors
			process_tree[ppid] = {-1}

			for j = 1, MAX_ANCESTOR_NAVIGATION do
				aname = evt.field(fanames[j])

				if aname == nil then
					if evt.field(fapids[j]) == nil then
						-- no shell in the ancestor list, hide this command
						break
					end
				elseif string.len(aname) >= 2 and aname:sub(-2) == "sh" then
					apid = evt.field(fapids[j])
					if process_tree[apid] then
						process_tree[ppid] = {j - 1, apid}
					else
						process_tree[ppid] = {0, apid}
					end
				end
			end
		end
		if process_tree[ppid][1] == -1 then
			-- the parent process has already been detected as NOT having a shell ancestor
			return true
		end

		if not process_tree[pid] then
			process_tree[pid] = {1 + process_tree[ppid][1], process_tree[ppid][2]}
		end


		if ischdir then

			if max_depth ~= -1 then
				if process_tree[pid][1] - icorr > max_depth then
					return true
				end
			end

			-- The -pc or -pcontainer options was supplied on the cmd line
			if  print_container then

				-- No support of containers added yet

			else

				print(color ..
					  extend_string("", 4 * (process_tree[pid][1] - icorr)) .. process_tree[pid][2] .. " " ..
					  dtime .. " " .. remoteip .. "(" ..
					  user .. ") cd " ..
					  evt.field(fdir))

			end
		else
			if max_depth ~= -1 then
				if process_tree[pid][1] - 1 > max_depth then
					return true
				end
			end

			-- The -pc or -pcontainer options was supplied on the cmd line
			if  print_container then

				-- No support for container added yet
			else

				print(color ..
					  extend_string("", 3 * (process_tree[pid][1] - 1)) .. process_tree[pid][2] .. " " .. dtime .. " " .. remoteip .. " (" ..  user ..") " .. evt.field(fexe) .. " " .. evt.field(fargs))

			end
		end
	end


	-- Tracking activity ends here


	return true
end

-- Get an attribute of ssh session
function get_session_attr(filename)
	attrs = {}
	local f = io.open(filename)
	while true do
		line = f:read()
		if line == nil then break end
		if not line:match "^#" then
			local attr = split(line,"=")
			if(tonumber(attr[2])~=nil) then
				attrs[attr[1]]=tonumber(attr[2])
			else
				attrs[attr[1]]=attr[2]
			end
		end
	end
	return attrs
end


-- Called by the engine at the end of the capture (Ctrl-C)
function on_capture_end()
	print(terminal.reset)
end
	-- Chisel description
	description = "Track SSH Session activity";
	short_description = "Track SSH SESSIONS activity";
	category = "Security";

	-- Chisel argument list
	args =
	{
	{
	name = "max_depth",
	description = "the maximum depth to show in the hierarchy of processes",
	argtype = "int",
	optional = true
	},
	{
	name = "disable_color",
	description = "Set to 'disable_colors' if you want to disable color output",
	argtype = "string",
	optional = true
	},
	}

	require "common"
	terminal = require "ansiterminal"
	terminal.enable_color(true)

	MAX_ANCESTOR_NAVIGATION = 16
	max_depth = -1

	-- Argument notification callback
	function on_set_arg(name, val)
	if name == "max_depth" then
	max_depth = parse_numeric_input(val, name)
	elseif name == "disable_color" and val == "disable_color" then
	terminal.enable_color(false)
	end

	return true
	end

	-- Initialize Callback
	function on_init()

	sysdig.set_snaplen(2000)

	-- Request the fields needed for this chisel
	fetype = chisel.request_field("evt.type")
	fexe = chisel.request_field("proc.exe")
	fproc = chisel.request_field("proc.name")
	fargs = chisel.request_field("proc.args")
	fdir = chisel.request_field("evt.arg.path")
	fuser = chisel.request_field("user.name")
	fdtime = chisel.request_field("evt.time.s")
	fpid = chisel.request_field("proc.pid")
	fppid = chisel.request_field("proc.ppid")
	fppname = chisel.request_field("proc.pname");
	fsid = chisel.request_field("proc.sid")
	ffname = chisel.request_field("fd.name")
	ffilename = chisel.request_field("fd.filename")
	fargdata = chisel.request_field("evt.arg.data")
	fapid = chisel.request_field("proc.apid[2]")
	fanames = {}
	fapids = {}
	sfilter = "(fd.name startswith /run/systemd/sessions/ and not fd.filename startswith \".#\" and not fd.filename startswith c and evt.arg.data contains \"REMOTE=1\")"
	bfilter = "(evt.type=execve)"
	cfilter = "(((evt.type=execve and evt.dir=<) or (evt.type=chdir and evt.dir=< and proc.name contains sh and not proc.name contains sshd)) and evt.failed=false)"
	chisel.set_filter(sfilter .. " or " .. bfilter .. " or " .. cfilter)

	for j = 0, MAX_ANCESTOR_NAVIGATION do
	fanames[j] = chisel.request_field("proc.aname[" .. j .. "]")
	fapids[j] = chisel.request_field("proc.apid[" .. j .. "]")
	end

	return true
	end

	process_tree = {}
	sessions = {}
	files = {}


	function table.print(t)
	print("{\n")
	for k,v in pairs(t) do
	print(k .. " : " .. v .. "\n")
	end
	print("}\n")
	end


	-- Event parsing callback
	function on_event()
	local color = ""

	local etype = evt.field(fetype)
	local user = evt.field(fuser)
	local dtime = evt.field(fdtime)
	local pid = evt.field(fpid)
	local ppid = evt.field(fppid)
	local ischdir = evt.field(fetype) == "chdir"
	local containername = evt.field(fcontainername)
	local containerid = evt.field(fcontainerid)
	local sid=evt.field(fsid)
	local dir=evt.field(fdir)
	local proc = evt.field(fproc)
	local fname = evt.field(ffname)
	local filename = evt.field(ffilename)
	local argdata = evt.field(fargdata)
	local exe = evt.field(fexe)
	local apid = evt.field(fapid)
	local ppname = evt.field(fppname);
	local aname
	local icorr = 1

	if(etype=="execve" and exe == "-bash" and ppname == "sshd") then
	for k,v in pairs(sessions) do
	--print(v["LEADER"] .. " " .. apid)
	if(v["LEADER"]==tonumber(apid)) then
	sessions[k]["BASH"] = tonumber(pid)
	--print("Session " .. k .. " User=" .. v["USER"] .. " IP=" .. v["REMOTE_HOST"])
	print(terminal.red .. "New session " .. k .. " started for user (".. sessions[k]["USER"].. ") from IP " .. sessions[k]["REMOTE_HOST"] .. " SHELL ID: " .. sessions[k]["BASH"] .. terminal.reset)
	break
	end
	end
	else
	if (sessions[filename] == nil and tonumber(filename) ~= nil and io.open(fname,"r") ~= nil) then
	local session = get_session_attr(fname)
	sessions[filename] = session
	--[[elseif (sessions[filename] ~= nil and tonumber(filename) ~= nil and io.open(fname,"r") ~= nil) then
	local update = get_session_attr(fname)
	if(update["STATE"]=="CLOSING") then
	sessions[filename]=nil
	print("Session " .. filename .. " closed by user(".. update["USER"] ..") from IP " .. update["REMOTE_HOST"] .. " SHELL ID: " .. sessions[k]["BASH"])
	end--]]

	end
	end

	-- Traking user sessions activity

	if ischdir then
	ppid = pid
	table.insert(fanames, 0, 0)
	table.insert(fapids, 0, 0)
	icorr = 0
	end

	local belongsto
	for k,v in pairs(sessions) do
	if v["BASH"]~=nil and tonumber(sid)==tonumber(v["BASH"]) then
	belongsto = v
	break
	end
	end
	local remoteip
	if belongsto~=nil then
	user=belongsto["USER"]
	remoteip=belongsto["REMOTE_HOST"]
	if not process_tree[ppid] then
	-- No parent pid in the table yet.
	-- Add one and make sure that there's a shell among the ancestors
	process_tree[ppid] = {-1}

	for j = 1, MAX_ANCESTOR_NAVIGATION do
	aname = evt.field(fanames[j])

	if aname == nil then
	if evt.field(fapids[j]) == nil then
	-- no shell in the ancestor list, hide this command
	break
	end
	elseif string.len(aname) >= 2 and aname:sub(-2) == "sh" then
	apid = evt.field(fapids[j])
	if process_tree[apid] then
	process_tree[ppid] = {j - 1, apid}
	else
	process_tree[ppid] = {0, apid}
	end
	end
	end
	end
	if process_tree[ppid][1] == -1 then
	-- the parent process has already been detected as NOT having a shell ancestor
	return true
	end

	if not process_tree[pid] then
	process_tree[pid] = {1 + process_tree[ppid][1], process_tree[ppid][2]}
	end


	if ischdir then

	if max_depth ~= -1 then
	if process_tree[pid][1] - icorr > max_depth then
	return true
	end
	end

	-- The -pc or -pcontainer options was supplied on the cmd line
	if print_container then

	-- No support of containers added yet

	else

	print(color ..
	extend_string("", 4 * (process_tree[pid][1] - icorr)) .. process_tree[pid][2] .. " " ..
	dtime .. " " .. remoteip .. "(" ..
	user .. ") cd " ..
	evt.field(fdir))

	end
	else
	if max_depth ~= -1 then
	if process_tree[pid][1] - 1 > max_depth then
	return true
	end
	end

	-- The -pc or -pcontainer options was supplied on the cmd line
	if print_container then

	-- No support for container added yet
	else

	print(color ..
	extend_string("", 3 * (process_tree[pid][1] - 1)) .. process_tree[pid][2] .. " " .. dtime .. " " .. remoteip .. " (" .. user ..") " .. evt.field(fexe) .. " " .. evt.field(fargs))

	end
	end
	end



	-- Tracking activity ends here


	return true
	end

	-- Get an attribute of ssh session
	function get_session_attr(filename)
	attrs = {}
	local f = io.open(filename)
	while true do
	line = f:read()
	if line == nil then break end
	if not line:match "^#" then
	local attr = split(line,"=")
	if(tonumber(attr[2])~=nil) then
	attrs[attr[1]]=tonumber(attr[2])
	else
	attrs[attr[1]]=attr[2]
	end
	end
	end
	return attrs
	end


	-- Called by the engine at the end of the capture (Ctrl-C)
	function on_capture_end()
	print(terminal.reset)
	end