Author: Ruwantha Nissanka

You know how important it is to do a daily log review. But you also know how much of a drag it is, and that you’d rather take a severe beating. Fortunately, there are various utilities that can make the job easier. Of the various choices in the normal Linux distro repositories, Logwatch is a perfect tool that we can use for this task. To deliver its messages, Logwatch requires that the machine also has a running mail server daemon. Depending on the options you chose when installing the operating system, you might or might not already have the Postfix mail server installed. When Postfix is set up as a local server, it will deliver system messages to the root user’s local account. To view the Logwatch summaries on the local machine, you’ll also need to install a text- mode mail reader, such as mutt. 1. Install Logwatch, mutt and Postfix with the following command #apt install postfix mutt logwatch 2. Create a mail spool file for your user account #touch /var/mail/your_user_name 3. Forward the root user’s mail to your own normal account Open the /etc/aliases file in your favorite text editor. Configure it to forward the root user’s mail to your own normal account by adding the following line at the bottom of the file: root: your_user_name 4. Save the file, and then copy the information from it...

You’ll find the journald logging system on any Linux distro that uses the systemd ecosystem. Instead of sending its messages to text files, journald sends messages to binary files. Instead of using normal Linux text file utilities to extract information, you have to use the journalctl utility. #journalctl To view the journald log file in its entirety, use the journalctl command. With Ubuntu, the person who installed the operating system has been added to the adm group, which allows that person to use journalctl without sudo or root privileges. Any users who are added later would only be able to see their own messages. There are lots of options that can display different types of information in various formats. For example, to only see messages about the cron service, use the –unit=cron option, #journalctl --unit=cron You can’t use the grep utility with these binary logs, but you can search for a string with the -g option. By default, it’s case-insensitive and finds your desired text string even when it’s embedded in another text string. Here, we see it finding the text string, fail: #journalctl -g fail To configure journald, you can edit the journald.conf file using the following command #vi /etc/system/journald.conf You can set the storage=volatile to store the journal in memory and to store it on disc, you can use storage=persistent. Most distributions have it set to auto,...

So, you have a directory full of super-secret files that only a very few people need to see, and you want to know when unauthorized people try to see them. Or, maybe you want to see when a certain file gets changed, or you want to see when people log into the system and what they’re doing once they do log in. For all this and more, you have the auditd system. Install auditd Run the following command to install auditd #apt install auditd Creating audit rules First, let’s check to see whether any audit rules are in effect: #auditctl -l As you can see, the auditctl command is what we use to manage audit rules. The -l option lists the rules. Auditing a file for changes Now, let’s say that we want to see when someone changes the /etc/passwd file. #auditctl -w /etc/passwd -p wa -k passwd_changes The breakdown: -w: This stands for where, and it points to the object that we want to monitor. In this case, it’s /etc/passwd. -p: This indicates the object’s permissions that we want to monitor. In this case, we’re monitoring to see when anyone either tries to (w)rite to the file or tries to make (a)ttribute changes. (The other two permissions that we can audit are (r)ead and e(x)ecute.) -k: The k stands for key, which is just auditd’s way of assigning...