Linux Logging

Limit Logging from SSH Session

To avoid logging in /var/log/wtmp

ssh [email protected] bash -c /bin/sh
OR
ssh [email protected] bash -i
OR 
ssh [email protected] /bin/sh <-- Best option

Finding Writable Directories for your Current User

find / -type d -perm -0222 2>/dev/null

Good hiding spots are tmpfs file systems. Run the mount command to view tmpfs filesystems:

/dev/shm

Unix Logging

Main log files can be identified by viewing

/etc/syslog.conf

Majority of the log files are located in:

/var/log

Hiding Shell History

Kill bash shell and prevent command writing to .bash_history

kill -9 $$

Dont save history for shell session, run as your first command when you get on a box

unset HISTFILE HISTFILESIZE HISTSIZE PROMPT_COMMAND

On some distributions adding a leading space will prevent the command from writing (old distros)
This will only work if the environmental variable HISTCONTROL is set to ignorespace

Accounting Entries in Unix

Currently logged in users
Distro Dependent

/var/log/utmp

Successful login attempts

/var/log/wtmp

Unsuccessful login attempts
Some admins will turn this off, so evidence of miss typed password in the username field are not saved

/var/log/btmp

File to show login name, port, and last login time for each user

/var/log/lastlog

These are binary files and need special tools in order to edit

Log Files to Check

/var/log/auth.log
/var/log/syslog
/var/log/messages
/var/spool/mail/root
/var/log/secure
/var/log/cron
/var/log/httpd/access_log*
/var/log/httpd/error_log*
##Dont forget the journel##

Syslog

Key files

Filename

Purpose

auth.log

System authentication and security events

boot.log

A record of boot-related events

dmesg

Kernel-ring buffer events related to device drivers

dpkg.log

Software package-management events

kern.log

Linux kernel events

syslog

A collection of all logs

wtmp

Tracks user sessions (accessed through the who and last commands)

Logging level

Level

Description

debug

Helpful for debugging

info

Informational

notice

Normal conditions

warn

Conditions requiring warnings

err

Error conditions

crit

Critical conditions

alert

Immediate action required

emerg

System unusable

PreviousEvading Logging and Monitoring NextTor

Last updated 10 months ago

hashtagLimit Logging from SSH Session

hashtagFinding Writable Directories for your Current User

hashtagUnix Logging

hashtagHiding Shell History

hashtagAccounting Entries in Unix

hashtagLog Files to Check

hashtagSyslog