Linux System Administration

0 of 85 lessons complete (0%)

TCP/IP Firewall and IP Masquerade

Logging and Auditing

You don’t have access to this lesson

Please register or sign in to access the course content.

Logging and auditing are critical components of system administration and security management. They involve the recording and analysis of events, activities, and access on a computer system. This information is invaluable for troubleshooting, monitoring, and identifying potential security incidents. Here’s an overview of logging and auditing:

Logging:

  1. Definition:
    • Logging involves the process of recording events, actions, and interactions on a computer system. These events can range from system messages to user activities.
  2. Types of Logs:
    • System Logs: Capture system-related events, including kernel messages, service start/stop events, and hardware-related information.
    • Security Logs: Focus on security-related events, such as authentication attempts, login successes/failures, and access control changes.
    • Application Logs: Record events specific to applications, including errors, warnings, and status messages generated by software.
    • Audit Logs: Provide detailed records of activities on a system, often used for compliance and security purposes.
  3. Log Storage:
    • Logs are typically stored in files on the system. The location and format of these files can vary depending on the operating system and configuration.
  4. Log Rotation:
    • To prevent log files from becoming too large, many systems implement log rotation, which periodically archives and clears old log entries.

Auditing:

  1. Definition:
    • Auditing involves the systematic examination and evaluation of records, logs, and activities to ensure compliance with policies, identify anomalies, and investigate security incidents.
  2. Purpose of Auditing:
    • Compliance: Auditing helps ensure that systems and processes adhere to regulatory and organizational standards.
    • Security: It helps identify and investigate security breaches, unauthorized access, and suspicious activities.
    • Forensics: Auditing provides a trail of evidence for post-incident analysis and legal purposes.
  3. Audit Trails:
    • An audit trail is a chronological record of system activities that provides a complete and detailed history of events.
  4. Configuring Auditing:
    • Auditing parameters and policies are typically configured in the system’s security settings or through specialized auditing tools.

Logging vs. Auditing:

  • Logging is the process of generating records of events, while auditing involves the examination and analysis of those records.
  • Logging is continuous and passive, capturing events as they occur. Auditing, on the other hand, is typically an active process that involves reviewing logs with a specific purpose.

Best Practices:

  1. Regular Review:
    • Logs and audit trails should be regularly reviewed to identify and address any unusual or suspicious activities.
  2. Secure Storage:
    • Log files and audit records should be stored securely to prevent tampering or unauthorized access.
  3. Retention Policy:
    • Implement a retention policy for logs to ensure they are retained for an appropriate duration for compliance and forensic purposes.
  4. Automated Monitoring:
    • Implement automated monitoring and alerting for critical events to promptly respond to potential security incidents.
  5. Regular Training:
    • Keep staff, especially security personnel, well-trained in reviewing logs and interpreting audit trails.

By maintaining comprehensive logs and conducting regular audits, organizations can enhance their security posture, identify and respond to incidents in a timely manner, and demonstrate compliance with regulatory requirements.

Logging:

Viewing System Logs (e.g., on CentOS/Red Hat):

  1. View the last 10 lines of the system log (syslog): sudo tail /var/log/messages
  2. View the last 10 lines of the secure log (contains authentication-related messages): sudo tail /var/log/secure
  3. View the kernel messages: sudo dmesg | less

Log Rotation:

  1. Manually initiate log rotation: sudo logrotate -f /etc/logrotate.conf
  2. Check when log files were last rotated: sudo logrotate -d /etc/logrotate.conf

Auditing:

Installing and Configuring Auditd (on CentOS/Red Hat):

  1. Install the auditd package: sudo yum install audit
  2. Start the auditd service: sudo systemctl start auditd
  3. Enable the auditd service to start on boot: sudo systemctl enable auditd

Configuring Audit Rules:

  1. View current audit rules: sudo auditctl -l
  2. Add a rule to monitor a specific file (e.g., /etc/passwd): sudo auditctl -w /etc/passwd -p w -k passwd_changes
  3. Remove a rule by its ID (replace <ID> with the rule ID): sudo auditctl -D -a <ID>

Searching Audit Logs:

  1. View the last 10 lines of the audit log: sudo tail /var/log/audit/audit.log
  2. Search for specific events (e.g., for a specific user): sudo ausearch -u <username>

Generating Audit Reports:

  1. Generate a summary report of audit events: sudo aureport
  2. Generate a report of file-related events: sudo aureport -f

Note:

  • These commands are for CentOS/Red Hat-based systems. For other distributions, the commands and file paths may differ slightly.
  • Always consult your system’s documentation or specific audit tools for more advanced configuration options and details.