Recalling the previous section
ok then we continue to improve on the step above, we have been able to successfully connect to the host machine through the fortress,
Now we are going to monitor the operation and maintenance personnel to operate the host of the
We should know that we are on the fort through ssh to connect to the host machine that should have specific information about the user's name, password, he managed hosts in our fortress machine,
We know there is a Linux strace command, a process used to crawl all operations
So first of all we need to know our program is run in that process
We then found our program by clicking ps -ef
Parent process for the 2504 command we really connected remotely via an ssh
We now strace -f -p 2504 -o ssh.log
Monitoring what this process we go through some commands input connections on the host machine fortress
Then we open ssh.log this document will be issued under our command input
Now we write a .py file and then go get command operation and maintenance personnel enter here will be written to the file in backend
#_*_coding:utf-8_*_ import re class AuditLogHandler (Object): '' ' analysis audit log log ' '' def __init__(self,log_file): self.log_file_obj = self._get_file(log_file) def _get_file(self,log_file): return open(log_file) def parse(self): cmd_list = [] cmd_str = '' catch_write5_flag = False #for tab complication for line in self.log_file_obj: #print(line.split()) line = line.split() try: pid,time_clock,io_call,char = line[0:4] if io_call.startswith('read(4'): if char == '"\\177",':#回退 char = '[1<-del]' if char == '"\\33OB",': #vim中下箭头 char = '[down 1]' if char == '"\\33OA",':Vim next arrow# = char ' [up. 1] ' IF char == ' "\\ 33OC", ' : # Vim in the right char = ' [->. 1] ' IF char == ' "\\ 33OD", ' : # Vim the left char = ' [. 1 <-] ' IF char == ' "\ 33 is [2; 2R", ' : # enter vim mode Continue IF char == ' "\\ 33 is [>. 1; 95; 0c" , ' : # Enter vim mode char = '[----enter vim mode-----]' IF char == ' "\\ 33 is [A", ' : # command line up arrow char = ' [up. 1] ' catch_write5_flag = True # take up the key to get the history command IF char == ' "\\ 33 is [B ", ' : # command line up arrow char = ' [down. 1] ' catch_write5_flag = True # take down-key to get the history command IF char == ' " \\ 33 is [C ", ' : # command move a row to the right = char ' [->. 1] ' IF char == ' "\\ 33 is [D", ' : # command moves a left char = ' [. 1 <-] ' cmd_str += char.strip('"",') if char == '"\\t",': catch_write5_flag = True continue if char == '"\\r",': cmd_list.append([time_clock,cmd_str]) cmd_str = '' # Reset IF char == ' " ' : # Space cmd_str + = ' ' IF catch_write5_flag: # to the catch the Tab Completion IF io_call.startswith ( ' the Write (5 ' ): IF io_call == ' "\ 7", ' : # Empty keys, not a space, can not be rolled back is the key Pass the else : cmd_str += char.strip('"",') catch_write5_flag = False except ValueError as e: print("\033[031;1mSession log record err,please contact your IT admin,\033[0m",e) #print(cmd_list) for cmd in cmd_list: print(cmd) return cmd_list if __name__ == "__main__": parser = AuditLogHandler('ssh.log') parser.parse()
We have not found a gifted problem emmmmm
Haha now we can record commands and input time of the operation and maintenance personnel, but we do not know who is the command input, then how can we do it
This is how we order our record is crawling through the process and the process of recording operation
We know that whenever I go to a user machines connected via a bastion host will play a process that we can then analyze this process is to judge the operation and maintenance personnel to connect
ok then we went through a process to analyze how to judge that there is operation and maintenance personnel to connect
We are going through ssh remote connection to the host when you gave ssh connection plus an identifier
Then we go like this analysis to determine the identifier is the operation and maintenance personnel to connect
Then I need to modify the source code by doing the following ssh
I opened it and found ssh.c openssh
ok -Z asdf is our identifier ha ha ha you remember on the virtual machine must be installed two Ubuntu oh otherwise the machine will be connected to the machine identifier does not effect
Now we will add the identifiers to our user_loginPoint.py
We then after a successful login through the fortress machine will find our account identifier
Now we have this identifier the
We then wrote a shell program to detect the identifier
1 #!/bin/bash 2 3 4 5 #echo #print 6 #echo $1 $2 7 md5_str=$1 8 9 for i in $(seq 1 30);do 10 11 ssh_pid=`ps -ef |grep $md5_str |grep -v grep |grep -v session_tracker.sh|grep -v sshpass |awk '{print $2}'` 12 echo "ssh session pid:$ssh_pid" 13 if [ "$ssh_pid" = "" ];then 14 sleep 1 15 continue 16 else 17 today=`date "+%Y_%m_%d"` 18 today_audit_dir="logs/audit/$today" 19 echo "today_audit_dir: $today_audit_dir" 20 if [ -d $today_audit_dir ] 21 then 22 echo " ----start tracking log---- " 23 else 24 echo "dir not exist" 25 echo " today dir: $today_audit_dir" 26 sudo mkdir -p $today_audit_dir 27 fi; 28 echo 123 | sudo -S /usr/bin/strace -ttt -p $ssh_pid -o "$today_audit_dir/$md5_str.log" 29 break 30 fi; 31 32 33 34 done;
Configuration settings in the call path
The way and then configure a directory to store log
Then call in the user_loginPoint.py
Place this file in the directory under backeng
We sort out what this program's execution
Switch to the root account
vim etc/sudoers
If you do not know a single-user mode, then enter your root password to modify the Ubuntu
Now machine operation and maintenance personnel to log fort on the operations master we can carry out the operation on his record
But now we can only see in the log is time and there is no operation command bastion host machine users and we have gained fortress machine users and hosts in the user_loginPoint
First, we create a table in the data storage session
class SessiongLog (models.Model): "" " store session log ." "" user = models.ForeignKey("UserProfile",on_delete=True) bind_host = models.ForeignKey("BindHost",on_delete=True) session_tag = models.CharField(max_length=128) data = models.DateTimeField(auto_now_add=True) def __str__(self): return self.session_tag
Then user_loginPoint.py go to acquire and store session
Remember path in the configuration settings in
Then improve it in front of the shell script to write
I also see the white of prostitution do not understand the Internet
After these procedures to install in our linux you will find
There are many commands can not be executed because some commands enough authority
mkdir in shell scripts you need to configure permissions like sudo mkdir to create directories need permission
There are owner permissions To Eat_bee_dung directory modified to the user's eat_bee_dung
Now we run our application in python on it