Saturday, May 30, 2020

Searching Through /var/log Folder

/ by  / with No comments /

To check for all user logins and logsouts
#last -f wtmp

Wtmp is a file on the Linux, Solaris, and BSD operating systems that keeps a history of all logins and logouts. On Linux systems, it is located at /var/log/wtmp. Various commands access wtmp to report login statistics, including the who and lastb commands

To check for failed login attempts
#last -f btmp
btmp logs failed attempts into your system. In theory this could mean someone is trying to brute force passwords. You can empty this file but should not remove it since software could crash when it expects the file to be there.

Using ausearch
Searching for user ssh login attempts on the audit logs located in audit log folder.
# ausearch --input <filename> -i | grep -i sshd | grep -i USER_AUTH
USER_AUTH is triggered when a user-space authentication attempt is detected.
  • -i,--interpret            Interpret results to be human readable
  • -if,--input                 Specify the file name rather than default audit file
  • -a,--event <Audit event id>    search based on audit event id
  • -gi,--gid <Group Id>        search based on group id
  • -ui,--uid <User Id>        search based on user id
  • --session <login session id>    search based on login session id

TTY ports are direct connections to the computer such as a keyboard/mouse or a serial connection to the device. PTS connections are SSH connections or telnet connections.

Some of the usefull Audit record types are listed below.
Audit Record Types:
  • ADD_USER    Triggered when a user-space user account is added.
  • CRED_ACQ    Triggered when a user acquires user-space credentials.
  • CRED_DISP    Triggered when a user disposes of user-space credentials.
  • CRED_REFR    Triggered when a user refreshes their user-space credentials.
  • CRYPTO_KEY_USER    Triggered to record the cryptographic key identifier used for cryptographic purposes.
  • CRYPTO_LOGIN    Triggered when a cryptographic officer login attempt is detected.
  • CRYPTO_LOGOUT    Triggered when a crypto officer logout attempt is detected.
  • DEL_GROUP    Triggered when a user-space group is deleted
  • DEL_USER    Triggered when a user-space user is deleted
  • SYSTEM_RUNLEVEL    Triggered when the system's run level is changed.
  • SYSTEM_SHUTDOWN    Triggered when the system is shut down.
  • USER_LOGIN    Triggered when a user logs in.
  • USER_LOGOUT    Triggered when a user logs out.
  • USER_START    Triggered when a user-space session is started.

Regex with gedit
To check for any post requests in the web log files on a given date. Below regex can be used with gedit.
At lease one work shoudl match: ^.*(21/May/2020|POST).*$
Both word should match: ^(?=.*21/MAY/2020)(?=.*POST).*$

Reference:
RedHat Audit record type can be found on:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-audit_record_types

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)