Linux Logging
Limit Logging from SSH Session
To avoid logging in
/var/log/wtmp
Finding Writable Directories for your Current User
Good hiding spots:
Unix Logging
Main log files can be identified by viewing
Majority of the log files
Hiding Shell History
Kill bash shell and prevent command writing to
.bash_history
Dont save history for shell session, run as your first command when you get on the box
On some distributions adding a leading space will prevent the command from writing
This will only work if the eviromental variable
HISTCONTROL
is set toignorespace
Accounting Entries in Unix
Currently logged in users
Distro Dependent
Successful login attempts
Unsuccessful login attempts
Some admins will turn this off so evidence of miss typed password in the username field are not saved
File to show login name, port, and last login time for each user
These are binary files and need special tools in order to edit
Log Files to Check
Syslog
Key files
auth.log
System authentication and security events
boot.log
A record of boot-related events
dmesg
Kernel-ring buffer events related to device drivers
dpkg.log
Software package-management events
kern.log
Linux kernel events
syslog
A collection of all logs
wtmp
Tracks user sessions (accessed through the who and last commands)
Logging level
debug
Helpful for debugging
info
Informational
notice
Normal conditions
warn
Conditions requiring warnings
err
Error conditions
crit
Critical conditions
alert
Immediate action required
emerg
System unusable
Last updated