Skip to content

Commit

Permalink
change
Browse files Browse the repository at this point in the history
  • Loading branch information
@YosfanEilay
YosfanEilay committed Feb 4, 2024
1 parent 194ae10 commit c9a0430
Showing 1 changed file with 99 additions and 70 deletions.
169 changes: 99 additions & 70 deletions 02-LogModules/Auth.Log/03-Features/07-sudoActivity.ps1
View file
Original file line number Diff line number Diff line change
@@ -1,87 +1,116 @@
# Hashtable for successful SSH
$ElevatedActivitys_HT = @{
"Session_Opened_For" = @()
"ElevatedCommands" = @()
}
"Session_Opened_For" = @()
"ElevatedCommands" = @()
}

# variable to get auth.log copy content.
$AuthLogCopyContent = Get-Content "$RunningPath\02-LogModules\Auth.Log\01-LogCopy\Auth.Log.Parser.Copy.txt"

# Foreach loop to iterate through lines of the auth.log file.
foreach ($SingleLine in $AuthLogCopyContent) {

# Variable to store the catches
$Elevated_Sessions_Opened = $SingleLine | Select-String -Pattern ".*sudo\: pam_unix\(sudo\:session\)\: session opened for user.*"

# Check if the line matches the pattern
if ($Elevated_Sessions_Opened) {

# Split $ElevatedActivity line into words
$Words = $Elevated_Sessions_Opened -split ' '

# name the words in a new variable
$Month = $Words[0]
$Day = $Words[1]
$Time = $Words[2]
$Session_Opened_For = $Words[10] -replace '\(.*',''
$Session_Opened_By = $Words[12] -replace '\(.*',''

# save the complte result in a variable
$Elevated_Sessions_Opened = "$Month $Day $Time session opened for user $Session_Opened_For by $Session_Opened_By"

# Save the line to the array in the hashtable
$ElevatedActivitys_HT["Session_Opened_For"] += $Elevated_Sessions_Opened
$Elevated_Sessions_Opened_Count = $ElevatedActivitys_HT["Session_Opened_For"].Count
}
# Variable to store the catches
$Elevated_Sessions_Opened = $SingleLine | Select-String -Pattern ".*sudo\: pam_unix\(sudo\:session\)\: session opened for user.*"

# Variable to store the catches
$ElevatedCommands = $SingleLine | Select-String -Pattern ".*(sudo|su)\:.*COMMAND\=.*"
# Check if the line matches the pattern
if ($Elevated_Sessions_Opened) {

# Check if the line matches the first pattern
if ($ElevatedCommands) {
# Save the line to the array in the hashtable
$ElevatedActivitys_HT["ElevatedCommands"] += $ElevatedCommands.Line
$ElevatedCommands_Count = $ElevatedActivitys_HT["ElevatedCommands"].Count
}
# Split $ElevatedActivity line into words
$Words = $Elevated_Sessions_Opened -split ' '

# name the words in a new variable
$Month = $Words[0]
$Day = $Words[1]
$Time = $Words[2]
$Session_Opened_For = $Words[10] -replace '\(.*',''
$Session_Opened_By = $Words[12] -replace '\(.*',''

# save the complte result in a variable
$Elevated_Sessions_Opened = "$Month $Day $Time session opened for user $Session_Opened_For by $Session_Opened_By"

# Save the line to the array in the hashtable
$ElevatedActivitys_HT["Session_Opened_For"] += $Elevated_Sessions_Opened
$Elevated_Sessions_Opened_Count = $ElevatedActivitys_HT["Session_Opened_For"].Count
}

# Variable to store the catches
$ElevatedCommands = $SingleLine | Select-String -Pattern ".*(sudo|su)\:.*COMMAND\=.*"

# Check if the line matches the first pattern
if ($ElevatedCommands) {
# Save the line to the array in the hashtable
$ElevatedActivitys_HT["ElevatedCommands"] += $ElevatedCommands.Line
$ElevatedCommands_Count = $ElevatedActivitys_HT["ElevatedCommands"].Count
}

}

# print out the Session_Opened_For list
if ($Elevated_Sessions_Opened_Count -ge 1) {
Write-Output ""
Write-Output "Elevated Sessions Opened For Users"
Write-Output "+--------------------------------+"
$ElevatedActivitys_HT["Session_Opened_For"]
Write-Output ""
Write-Output "Elevated Sessions Opened For Users - Statistics Table"

$Session_HT = @{}

# Count occurrences of sessions
foreach ($Event in $ElevatedActivitys_HT["Session_Opened_For"]) {
$Session = $Event -replace '.*session opened for user ',''

if ($Session_HT.ContainsKey($Session)) {
$Session_HT[$Session]++
}
else {
$Session_HT[$Session] = 1
}
}

# Find max lengths
$MaxCharKey = ($Session_HT.Keys | Measure-Object Length -Maximum).Maximum
$MaxCharValue = ($Session_HT.Values | Measure-Object -Maximum).Maximum.ToString().Length

# Output table
foreach ($Key in $Session_HT.Keys) {
$SpacedKey = $Key.PadRight($MaxCharKey)
$SpacedValue = $Session_HT[$Key].ToString().PadRight($MaxCharValue)

$Final = "| Sessions opened for user $SpacedKey | Session Count: $SpacedValue |"
$Border = '-' * ($Final.Length - 2)

Write-Output "+$Border+"
Write-Output $Final
}

Write-Output "+$Border+"
}

# print out the ElevatedCommands list
if ($ElevatedCommands_Count -ge 1) {

# space
Write-Output ""
Write-Output "Elevated Commands - Raw Events"

# variable to cretae the amount of spaces needed for the table
$MaxLength = ($ElevatedActivitys_HT["ElevatedCommands"] | Measure-Object Length -Maximum).Maximum

# variable to story the new amount of hyfens
$BorderHyphen = '-' * $MaxLength
# space
Write-Output ""
Write-Output "Elevated Commands - Raw Events"

# variable to cretae the amount of spaces needed for the table
$MaxLength = ($ElevatedActivitys_HT["ElevatedCommands"] | Measure-Object Length -Maximum).Maximum

# variable to story the new amount of hyfens
$BorderHyphen = '-' * $MaxLength

# foreach loop to print out all the events
foreach ($SingleEvent in $ElevatedActivitys_HT["ElevatedCommands"]) {
# foreach loop to print out all the events
foreach ($SingleEvent in $ElevatedActivitys_HT["ElevatedCommands"]) {

$EventsPlusSpace = $SingleEvent.PadRight($MaxLength)
Write-Output "+$BorderHyphen+"
Write-Output "|$EventsPlusSpace|"
}
}

# closing border hyphen
Write-Output "+$BorderHyphen+"
# closing border hyphen
Write-Output "+$BorderHyphen+"

# hashtable
$ElevatedCommandsHT = @{}
# hashtable
$ElevatedCommandsHT = @{}

foreach ($SingleEvent in $ElevatedActivitys_HT["ElevatedCommands"]) {
foreach ($SingleEvent in $ElevatedActivitys_HT["ElevatedCommands"]) {

# Extract the user name to a variable
$RemoveStartUser = $SingleEvent -replace '.* sudo\:\s+',''
Expand All @@ -103,23 +132,23 @@ foreach ($SingleEvent in $ElevatedActivitys_HT["ElevatedCommands"]) {

# Check if $NameTag key already exists in the hashtable
if ($ElevatedCommandsHT.ContainsKey($NameTag)) {
# If it exists, append $Command to the existing array
$ElevatedCommandsHT[$NameTag] += $Command
# If it exists, append $Command to the existing array
$ElevatedCommandsHT[$NameTag] += $Command
} else {
# If it doesn't exist, create a new array with $Command
$ElevatedCommandsHT[$NameTag] = @($Command)
# If it doesn't exist, create a new array with $Command
$ElevatedCommandsHT[$NameTag] = @($Command)
}
}
# foreach loop to iterate all the keys insidde $ElevatedCommandsHT hashtable
foreach ($Key in $ElevatedCommandsHT.Keys) {
}

# foreach loop to iterate all the keys insidde $ElevatedCommandsHT hashtable
foreach ($Key in $ElevatedCommandsHT.Keys) {

# Find the maximum character count in $Key which is the $NameTag
$MaxCharCountForUser = ($Key | Measure-Object Length -Maximum).Maximum

# remove '2' from the $MaxCharCountForUser value
$MaxCharCountForUser = $MaxCharCountForUser - 2

# variable to stor the hyfens
$BorderHyphenForUser = '-' * $MaxCharCountForUser

Expand All @@ -132,7 +161,7 @@ foreach ($SingleEvent in $ElevatedActivitys_HT["ElevatedCommands"]) {

# Find the maximum character count in $ElevatedCommandsHT[$Key] which is the commands
$MaxCharCount = ($ElevatedCommandsHT[$Key] | Measure-Object Length -Maximum).Maximum

# variable to stor the hyfens
$BorderHyphen = '-' * $MaxCharCount

Expand All @@ -144,13 +173,13 @@ foreach ($SingleEvent in $ElevatedActivitys_HT["ElevatedCommands"]) {
Write-Output " V User Command History (Total Executions:$($ElevatedCommandsHT[$Key].Count))"
Write-Output " +$BorderHyphen+"
foreach ($Command in $Commands) {
Write-Output " |$Command|"
Write-Output " +$BorderHyphen+"
}
Write-Output " |$Command|"
Write-Output " +$BorderHyphen+"
}
}

}

# reset
$Elevated_Sessions_Opened_Count = $null
$ElevatedCommands_Count = $null
$ElevatedCommands_Count = $null

0 comments on commit c9a0430

Please sign in to comment.