Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Question Audit Linux System

  1. #1
    Join Date
    Mar 2019
    Beans
    215

    Question Audit Linux System

    Hi,
    It was recommended to me that I install audit packages for my ubuntu laptop [no personal server, hooked up to commercial modem via wired connection], based on this webpage: https://www.cyberciti.biz/tips/howto...ccounting.html

    The following commands worked fine:
    Code:
    ac
    ac -d
    For
    Code:
    ac -p
    the return was
    Code:
     me                         11.46
        total       11.46

    But when I entered

    Code:
     lastcomm
    with my username
    and the same command with tty2 there were no returns.

    Earlier I entered the following commands into the terminal, "netstat", "last," "ls", so shouldn't they show up in the return for my username? Since I am new to this feature, I'd appreciate feedback.
    Last edited by bhubunt; 3 Weeks Ago at 04:39 PM.

  2. #2
    Join Date
    Mar 2010
    Location
    USA
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Question Audit Linux System

    As in my last PM to you on how to install that package and it's use... After that part of my PM, I explained that 'lastcomm' does not capture the session or where the user was from. (Though, it does capture many details on exactly what users were logged in, and everything they do on your computer...)

    It captures since the package was installed and the auditing turned on. Does that make sense.

    Since it doesn't track sessions and where from... That is why I went on the explain that I setup 'w' as a crontab job creating a log file to capture those further details. I explained how to set that up, and how often you should review that... and what to do with that log after reviewing it.

    Re-read that last PM...

    "Concurrent coexistence of Windows, Linux and UNIX..." || Ubuntu user # 33563, Linux user # 533637
    Sticky: Graphics Resolution | UbuntuForums 'system-info' Script | Posting Guidelines | Code Tags

  3. #3
    Join Date
    Mar 2019
    Beans
    215

    Re: Question Audit Linux System

    OK.

    Shouldn't there be a root ref in the return for

    Code:
     ac -p
    ?

    Or did I get that wrong?

  4. #4
    Join Date
    Aug 2016
    Location
    Wandering
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    Re: Question Audit Linux System

    Mine:
    Code:
    ac -p
    	me                                  37.74
    	total       37.74
    root@me-Legion-5-zfs:/home/me# ac -a
    	total       37.75
    root@me-Legion-5-zfs:/home/me# ac -ap
    	me                                  37.75
    	total       37.75
    Understanding will become easier as you learn with it. What it does what it can not do....on and on.
    Code:
     ac -d
    May  6	total        7.94
    May  7	total        5.21
    May  8	total        4.96
    May 10	total        1.73
    May 11	total        7.39
    May 12	total        1.07
    May 14	total        0.18
    May 15	total        4.94
    May 17	total        2.52
    Today	total        1.81
    It's a good place to start looking for foul play.
    Last edited by 1fallen; 3 Weeks Ago at 07:33 PM. Reason: spelling
    With realization of one's own potential and self-confidence in one's ability, one can build a better world.
    Dalai Lama>>
    Code Tags | System-info | Forum Guide lines | Arch Linux, Debian Unstable, FreeBSD

  5. #5
    Join Date
    Aug 2016
    Location
    Wandering
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    Re: Question Audit Linux System

    Another tool I use is Lynis : https://www.howtogeek.com/674288/how...ty-with-lynis/

    Lynis performs a suite of automated tests that thoroughly inspect many system components and settings of your Linux operating system. Please read all the information covered on the page link, also some extra plugins are available.

    Also pertaining to your "lastcomm" not showing a return, I'm currently working on a bug I found with it, so give it some time to investigate that.
    Currently on 24.10 Testing "lastcomm"
    Code:
    lastcomm
    *** buffer overflow detected ***: terminated
    Aborted (core dumped)
    Also your query on a tty2 session:
    Code:
    last tty2
    
    wtmp begins Mon May  6 10:14:09 2024
    That is verified by me as my user logged in at that time.
    Today's "last"
    Code:
    last
    me       tty7         :0               Mon May 20 09:57    gone - no logout
    reboot   system boot  6.8.0-31-generic Mon May 20 09:57   still running
    Like I said the more you use these utility's the more will become evident.
    Last edited by 1fallen; 3 Weeks Ago at 05:09 PM. Reason: add to
    With realization of one's own potential and self-confidence in one's ability, one can build a better world.
    Dalai Lama>>
    Code Tags | System-info | Forum Guide lines | Arch Linux, Debian Unstable, FreeBSD

  6. #6
    Join Date
    Mar 2019
    Beans
    215

    Re: Question Audit Linux System

    Thanks for the Lynus tool.

    In the return there were a lot of red warnings, for example, under

    Users, Groups and Authentication

    Code:
    - Locked accounts                                           [ FOUND ] (in red)
    - Permissions for directory: /etc/sudoers.d               [ WARNING ] (in red)

  7. #7
    Join Date
    Aug 2016
    Location
    Wandering
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    Re: Question Audit Linux System

    Lynis expects /etc/sudoers.d to be unreadable by “others”, i.e. rwx[r-][w-][x-]---. If you run
    Code:
    chmod 750 /etc/sudoers.d
    It should fix that warning.
    Code:
     - Sudoers file(s)                                           [ FOUND ]
        - Permissions for directory: /etc/sudoers.d               [ OK ]
        - Permissions for: /etc/sudoers                           [ OK ]
        - Permissions for: /etc/sudoers.d/README                  [ OK ]
    The information should have been logged in the Lynis log file...
    As for the Locked Accounts see this: https://cisofy.com/lynis/controls/AUTH-9218/
    Last edited by 1fallen; 3 Weeks Ago at 06:44 PM. Reason: add to
    With realization of one's own potential and self-confidence in one's ability, one can build a better world.
    Dalai Lama>>
    Code Tags | System-info | Forum Guide lines | Arch Linux, Debian Unstable, FreeBSD

  8. #8
    Join Date
    Aug 2016
    Location
    Wandering
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    Re: Question Audit Linux System

    Some of the first checks I look at to see if any further action is needed by me:
    This I consider after running lynis a good thing:
    Code:
    [+] Home directories
    ------------------------------------
      - Permissions of home directories                           [ OK ]
      - Ownership of home directories                             [ OK ]
      - Checking shell history files                              [ OK ]
    This is key as well:
    Code:
    [+] Cryptography
    ------------------------------------
      - Checking for expired SSL certificates [0/151]             [ NONE ]
    
      [WARNING]: Test CRYP-7902 had a long execution: 18.630953 seconds
    
      - Found 1 LUKS encrypted block devices.                     [ OK ]
      - Found 0 encrypted and 1 unencrypted swap devices in use.  [ OK ]
      - Kernel entropy is sufficient                              [ YES ]
      - HW RNG & rngd                                             [ NO ]
      - SW prng                                                   [ NO ]
      MOR-bit set                                                 [ YES ]
    This part is not to be ignored:
    Code:
    - blueman-mechanism.service:                          [ UNSAFE ]
            - bluetooth.service:                                  [ MEDIUM ]
    Code:
    sudo systemctl disable bluetooth
    [sudo] password for me: 
    Synchronizing state of bluetooth.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
    Executing: /usr/lib/systemd/systemd-sysv-install disable bluetooth
    Removed "/etc/systemd/system/bluetooth.target.wants/bluetooth.service".
    Removed "/etc/systemd/system/dbus-org.bluez.service".
    We have a well known user that was hacked through bluetooth, so keep it disabled when not needed.

    Security is a Life Long learning process.
    Last edited by 1fallen; 3 Weeks Ago at 06:58 PM.
    With realization of one's own potential and self-confidence in one's ability, one can build a better world.
    Dalai Lama>>
    Code Tags | System-info | Forum Guide lines | Arch Linux, Debian Unstable, FreeBSD

  9. #9
    Join Date
    Mar 2019
    Beans
    215

    Re: Question Audit Linux System

    Quote Originally Posted by 1fallen View Post
    Lynis expects /etc/sudoers.d to be unreadable by “others”, i.e. rwx[r-][w-][x-]---. If you run
    Code:
    chmod 750 /etc/sudoers.d
    This is what I get when entering the command, with and without sudo

    Code:
     XXX-ThinkPad-X240:~$ chmod 750 /etc/sudoers.d
    chmod: changing permissions of '/etc/sudoers.d': Operation not permitted
    XXX-ThinkPad-X240:~$ sudo chmod 750 /etc/sudoers.d
    [sudo] password for XXX: 
    XXX-ThinkPad-X240:~$

  10. #10
    Join Date
    Mar 2019
    Beans
    215

    Re: Question Audit Linux System

    Quote Originally Posted by 1fallen View Post
    Lynis expects /etc/sudoers.d to be unreadable by “others”, i.e. rwx[r-][w-][x-]---. If you run
    Code:
    chmod 750 /etc/sudoers.d
    This is what I get when entering the command, with and without sudo

    Code:
     XXX-ThinkPad-X240:~$ chmod 750 /etc/sudoers.d
    chmod: changing permissions of '/etc/sudoers.d': Operation not permitted
    XXX-ThinkPad-X240:~$ sudo chmod 750 /etc/sudoers.d
    [sudo] password for XXX: 
    XXX-ThinkPad-X240:~$

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •