[Cialug] Auditing logs for a delicate situation

Nicolai nicolai-cialug at chocolatine.org
Fri Feb 10 21:01:48 CST 2012


On Fri, Feb 10, 2012 at 11:38:45PM +0000, Hasler, Chris wrote:
> Hi all,

> I've just been asked to look for evidence that a person did log in on
> certain days.

In addition to lastlog and so on, you should look at the access and
modified times of the user's home directory files, especially .profile
or .bashrc or $HISTFILE.  In this case it helps if the partition wasn't
mounted noatime of course, and files can easily be tampered with so
YMMV.

Does your firewall log ssh connections?  If so, assuming you restrict
the IP addresses etc. allowed to make connections, you may be able to
narrow a login down to the person in question through process of
elimination.

You may also be able to walk backward through backups, noting any
unexpected file changes.  It would be interesting if:

Friday: guy gets fired
Friday night backup: ~user takes 120MB
...
Monday night backup: ~user unexpectedly takes 2MB

Do you have daily cron scripts reporting disk, quota, or other usage?
System reports could be interesting.

All of this in addition to checking the logs on the logging server.

Nicolai


More information about the Cialug mailing list