Linux Security Logging: Tracking a System User’s Footsteps as They Move Through the System

Webinar Registration

For all kinds of good reasons – including compliance, incident response, investigations and good SecDevOps practice - you need to be able to reconstruct a system user’s activity on any kind of system.

In Windows this is largely a matter of the Security log supported by Sysmon, PowerShell logs. With the right audit policy, logging configuration and those logs you can know every logon session, connections between certain logon sessions, as well as every process executed, commands run and much of what takes place inside those processes.

You can do the same thing in Linux with the right configuration and logs. In this real training for free session, our goal is to get you started doing just that.

We will explore how to track a user from when they initially logon using a local system account or a domain account if the Linux system is integrated with your AD environment. Then we will find out how they logged – most likely through SSH (secure shell) but not always.

I will show you how to see which commands they run. And you will learn how to see when they escalate privileges or otherwise switch to other accounts using su and sudo.

But just knowing what commands they run might not be enough. What were the results and outputs of those commands? Linux does allow you to make a full fidelity recording of each shell session but this can be tricky. The best practice is definitely to configure systems so that users must run everything of consequence through sudo.

There are a lot of other ways for users to execute scripts and commands including with child processes and cron jobs. Finally, everything in Linux comes down to the file system and so we’ll look at the file system auditing capabilities in Linux.

Here’s some of the logs we’ll introduce:

  • /var/log/secure
  • /var/log/auth.log
  • /var/log/logkeys.log
  • /var/log/sudo
  • /var/log/sulog
  • /var/log/cron

Of course, these logs are cryptic and fragmented and that is where BeyondTrust comes in who is sponsoring this real training for free session. 

Patrick Schneider will briefly show you how to centralize and manage the vast amounts of cryptic and fragmented data and access that data in a central repository. From start to finish, when you login to a Linux server using your AD credentials, elevate your privileges using Sudo on your Linux Workstation or elevating privileges on your tier 1 critical Linux Server infrastructure, Patrick will show you how to capture, search and access those fragmented logs as well as manage the policies and scripts in an easy-to-use GUI.

Come and learn from Patrick that capturing, accessing and managing vast amounts of data can be easy when it comes to Linux single-sign-on and elevating privileges.

Please join us for this real training for free Session.

First Name:   
Last Name:   
Work Email:  
Zip/Postal Code:  
Company size:
I'd like to schedule a personalized demo with a BeyondTrust rep for:

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor.



Additional Resources