Linux Security Logging: Tracking a System User’s… | BeyondTrust

For all kinds of good reasons – including compliance, incident response, investigations and good SecDevOps practice - you need to be able to reconstruct a system user’s activity on any kind of system.

In Windows this is largely a matter of the Security log supported by Sysmon, PowerShell logs. With the right audit policy, logging configuration and those logs you can know every logon session, connections between certain logon sessions, as well as every process executed, commands run and much of what takes place inside those processes.

You can do the same thing in Linux with the right configuration and logs. In this real training for free session, our goal is to get you started doing just that.

We will explore how to track a user from when they initially logon using a local system account or a domain account if the Linux system is integrated with your AD environment. Then we will find out how they logged – most likely through SSH (secure shell) but not always.

In this session I show you how to see which commands they run. And you will learn how to see when they escalate privileges or otherwise switch to other accounts using su and sudo.

But just knowing what commands they run might not be enough. What were the results and outputs of those commands? Linux does allow you to make a full fidelity recording of each shell session but this can be tricky. The best practice is definitely to configure systems so that users must run everything of consequence through sudo.

There are a lot of other ways for users to execute scripts and commands including with child processes and cron jobs. Finally, everything in Linux comes down to the file system and so we’ll look at the file system auditing capabilities in Linux.

Here’s some of the logs we’ll introduce:

/var/log/secure
/var/log/auth.log
/var/log/logkeys.log
/var/log/sudo
/var/log/sulog
/var/log/cron

Of course, these logs are cryptic and fragmented and that is where BeyondTrust comes in who is sponsored the real training for free session.

Patrick Schneider will briefly show you how to centralize and manage the vast amounts of cryptic and fragmented data and access that data in a central repository. From start to finish, when you login to a Linux server using your AD credentials, elevate your privileges using Sudo on your Linux Workstation or elevating privileges on your tier 1 critical Linux Server infrastructure, Patrick will show you how to capture, search and access those fragmented logs as well as manage the policies and scripts in an easy-to-use GUI.

Watch and learn from Patrick that capturing, accessing and managing vast amounts of data can be easy when it comes to Linux single-sign-on and elevating privileges.

Meet the Presenters

Randy Franklin Smith is an internationally recognized expert on the security and control of Windows and Active Directory security who specializes in Windows and Active Directory security. He performs security reviews for clients ranging from small, privately held firms to Fortune 500 companies, national, and international organizations.

Patrick Schneider is a Senior IGA professional, with 30 years of experience in the Information Technology industry. Prior to joining BeyondTrust as a Senior Solutions Architect, Patrick was a Senior Solutions Engineer for the Security portfolio of a major IAM solutions provider. Patrick holds many industry certifications such as Comptia+, MCP, Certified Directory Engineer, Certified Linux Engineer and more.