Linux Logging

Limit Logging from SSH Session

• To avoid logging in /var/log/wtmp

ssh [email protected] bash -c /bin/sh
OR
ssh [email protected] bash -i
OR 
ssh [email protected] /bin/sh <-- Best option

Finding Writable Directories for your Current User

find / -type d -perm -0222 2>/dev/null

• Good hiding spots are tmpfs file systems. Run the mount command to view tmpfs filesystems:

/dev/shm

Unix Logging

• Main log files can be identified by viewing

/etc/syslog.conf

• Majority of the log files are located in:

/var/log

Hiding Shell History

• Kill bash shell and prevent command writing to .bash_history

kill -9 $$

• Dont save history for shell session, run as your first command when you get on a box

unset HISTFILE HISTFILESIZE HISTSIZE PROMPT_COMMAND

• On some distributions adding a leading space will prevent the command from writing (old distros)

• This will only work if the environmental variable HISTCONTROL is set to ignorespace

Accounting Entries in Unix

• Currently logged in users

• Distro Dependent

/var/log/utmp

• Successful login attempts

/var/log/wtmp

• Unsuccessful login attempts

• Some admins will turn this off, so evidence of miss typed password in the username field are not saved

/var/log/btmp

• File to show login name, port, and last login time for each user

/var/log/lastlog

• These are binary files and need special tools in order to edit

Log Files to Check

/var/log/auth.log
/var/log/syslog
/var/log/messages
/var/spool/mail/root
/var/log/secure
/var/log/cron
/var/log/httpd/access_log*
/var/log/httpd/error_log*
##Dont forget the journel##

Syslog

• Key files

• Logging level