Monitor 0-access recorded sessions via text search #147

0xIslamTaha · 2018-01-24T11:32:21Z

Detailed description

As 0-access record all ssh sessions (as long as the user use it to login), we need a new feature to be able to analyze these sessions and raise an error in case of there is a malicious code or a backdoor.

what this healthcheck does?

It should raise an error if there is a new key added to the /root/.ssh/authorized_keys or /home/*/.ssh/authorized_keys.
It should fix (rollback) these authorized_keys files.
It should monitor /etc/passwd and raise an error in case of someone add a new user there.
It should fix (rollback) this /etc/passwd.
It should raise an error if there any ssh session except 0-access ones, and a warning for any ssh session
It should raise an error if following commands are used:
- rm -rf
- shutdown
It should raise an error if there is a connection for a port > 1000 (it migh be mining script)

The text was updated successfully, but these errors were encountered:

0xIslamTaha added the type_feature label Jan 24, 2018

0xIslamTaha changed the title ~~Monitor ssh sessions using the healthcheck~~ Monitor 0-access recorded sessions via text search Jan 24, 2018

FastGeert added this to the 2.5 milestone Jan 26, 2018

grimpy assigned ashraffouda and katia-e and unassigned ashraffouda and katia-e Aug 9, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Monitor 0-access recorded sessions via text search #147

Monitor 0-access recorded sessions via text search #147

0xIslamTaha commented Jan 24, 2018 •

edited

Loading

Monitor 0-access recorded sessions via text search #147

Monitor 0-access recorded sessions via text search #147

Comments

0xIslamTaha commented Jan 24, 2018 • edited Loading

Detailed description

0xIslamTaha commented Jan 24, 2018 •

edited

Loading