17 February 2012

I was recently approached by one of my clients who had a breach on one of their servers. Thinking FCAPS (Fault Management, Configuration, Accounting, Performance, Security), I knew the first place to start on the box was the auth.log file. Being an Ubuntu 11.04 box, the log files were located at /var/log/. Some distributions change the log location, but it's just about against standard to do so. That's where I came up with the idea for LogAudit.

I made a PHP script that would import the log file and match up the session start and session close entries. This would allow you to see how long a session was allocated for, who the user was, when it started and ended, as well as the module and sub-module which allowed the authentication. I whipped together LogAudit within a couple of minutes and had a method of procedure for the customer within an hour.

Here is an example of what two of the log entries looked like:

Aug 23 22:36:53 angryserver sshd[8049]: pam_unix(sshd:session): session opened for user sixeightzero 
Aug 23 23:19:26 angryserver sshd[8049]: pam_unix(sshd:session): session closed for user sixeightzero 

Note: Please not that unless you adjust the permissions on the platform to be readable by the user executing this script, by default, root access is required to run this script.

I recently migrated the code to a gist, which you can find below:

Examples

Here are a few methods built-in:

Here is an example of the returned object:

Enjoy.

Tagged under varlog, audit, daemon, fcaps, linux, log, logaudit, multidimensional-arrays, namespace, php-log-audit, php-multidimensional-array-search, php5, php5-3, recursive-iterator, recursiveiterator, security, and others
Mike Mackintosh

This post was written by Mike Mackintosh, a decorated security professional.




Related Posts