Last active
February 20, 2017 05:02
-
-
Save jbradley89/37ef7a8609aee1dd1af28a2df87a2a6b to your computer and use it in GitHub Desktop.
A PoC tty tracker that allows filtering out known good processes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /usr/bin/env stap | |
global allowed_ttys; //holds a list of processes allowed to generate ttys | |
probe begin | |
{ | |
println("Tracking spawned TTYs..."); | |
allowed_ttys["sshd"] <<<1; | |
allowed_ttys["gnome-pty-helpe"] <<<1; | |
} | |
function is_allowed(proc_to_check) | |
{ | |
rcode = 1; | |
foreach(allowed_proc in allowed_ttys) | |
{ | |
if (proc_to_check == allowed_proc) | |
{ | |
rcode = 0; | |
break; | |
} | |
} | |
return rcode; | |
} | |
probe tty.init | |
{ | |
if (is_allowed(execname()) == 0) | |
{ | |
// simply increase the counter value. Allows us to track how many times this process created a tty if we want | |
allowed_ttys[execname()] <<<1; | |
} | |
else | |
{ | |
printf("%15s %5d %20s %5d \n", ctime(gettimeofday_s()), uid(), execname(), pid()); | |
} | |
} | |
probe end | |
{ | |
println("Done!") | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment