We can find the IP from where a ssh login has been done and commands have been executed. Also we can get the status of logins & those commands.<\/p>\n
Suppose a Server has 2 users<\/span> :- Login to your server using Ubuntu user. \u201cpstree -p<\/strong>\u201d and grep whatever command you want to audit This will return PIDs of ssh logins which have been processed till now. After running the above command, multiple PIDs will be shown, so you can filter the output according to your use. For this, we have the auditd tool \u201capt-get install auditd audispd-plugins<\/strong>\u201d<\/p>\n Auditd works on some user defined rules. So, now we have to set the rules. Here write rules like below<\/span> :-<\/p>\n <\/p>\n Note<\/strong><\/span>:- When you write the line highlighted you wont be able to edit the audit.rules file again. There is an alternative to you opening the file and editing it. If you don’t want to edit the file you can directly define rules via command.<\/p>\n \u201cauditctl -a exit,always -F path=\/etc\/passwd -F perm=wa<\/strong>\u201d A Few more auditctl commands<\/span>:- To see files opened by a specific user: To see unsuccessful open call\u2019s: Here are a few switches<\/span> :- Restart the service.<\/p>\n \u201csudo service auditd restart<\/strong>\u201d<\/p>\n Now, run the below command with the file you want to edit.<\/p>\n
\n1. Ubuntu which has sudo access.
\n2. ranvijay is a another user created by useradd.
\n(password login to server has been enabled)<\/p>\n
\nAlso, login to server in with user ranvijay from another machine which might be running on the same or other network.
\nNow, if we want to check from where the ssh logins have been made
\nRun command -><\/p>\n
\nlike \u201cgrep sshd<\/strong>\u201d
\nor simply \u201cps -ef | grep sshd<\/strong>”<\/p>\n
\nLogs are stored in auth.log file
\nSo,
\n\u201csudo grep 2448 \/var\/log\/auth.log<\/strong>\u201d ( 2248 is the process ID & it may vary in your server)<\/p>\n
\nYou would get a similar output :-<\/p>\n![\"Screenshot](\"\/blog\/wp-ttn-blog\/uploads\/2015\/03\/Screenshot-from-2015-03-23-171259.png\")
<\/a><\/p>\n<\/h3>\n
2.<\/span>For f<\/span>inding who changed \/ executed a particular file \/process \/system calls<\/span><\/span><\/b><\/span><\/span><\/h3>\n
\nInstall it by using the following command.<\/p>\n
\nThese rules specify for which file to & the operations on the file to keep track of
\nNow run command ->
\n\u201cvim \/etc\/audit\/audit.rules<\/strong>\u201d<\/p>\n<\/a><\/p>\n
\nThis will append audit.rules file & activate audit on passwd file.<\/p>\n
\nTo see all system calls made by a program:
\n“auditctl -a entry,always -S all -F pid=1005<\/strong>”<\/p>\n
\n“auditctl -a exit,always -S open -F auid=510<\/strong>”<\/p>\n
\n“auditctl -a exit,always -S open -F success!=0<\/strong>”<\/p>\n
\nr = read
\nw = write
\nx = execute
\na = attribute change<\/p>\n