ssh-access-notify

2023-04-01 17:20:19 +05:00 · 2023-04-01 17:20:19 +05:00 · 28dce4b836
commit 28dce4b836
parent a0470b5f06
2 changed files with 25 additions and 0 deletions
--- a/config/i3/config
+++ b/config/i3/config
@ -219,3 +219,6 @@ exec --no-startup-id activate-linux

 # Start dunst (notification service)
 exec --no-startup-id dunst
+
+# start ssh access notification script
+exec --no-startup-id /home/shihaam/.scripts/notify-ssh-access.sh
--- a/scripts/notify-ssh-access.sh
+++ b/scripts/notify-ssh-access.sh
@ -0,0 +1,22 @@
+#!/bin/bash
+
+doas tail -fn0 /var/log/audit/audit.log | while read -r line; do
+
+    key=$(echo "$line" | grep -oP '(?<=key=").*?(?=")')
+    exe=$(echo "$line" | grep -oP '(?<=exe=").*?(?=")')
+    pid=$(echo "$line" | awk -F'ppid=[0-9]+ pid=' '{print $2}' | awk -F' ' '{print $1}')
+    username=$(echo "$line" | grep -oP '(?<=EUID=").+?(?=")')
+
+    if [ "$key" = "ssh-key-read" ]
+    then
+    		SUBJECT="SSH Key accessed!"
+		MESSAGE="exec=$exe\nuser=$username\npid=$pid"
+
+		if [ "$exe" = "/usr/bin/scp" ] || [ "$exe" = "/usr/bin/ssh" ]
+		then
+			notify-send "$SUBJECT" "$MESSAGE"
+		else
+			notify-send -u critical "$SUBJECT" "$MESSAGE"
+		fi
+    fi
+done