ssh logins audit

[root@server ~]# tail /var/log/secure
Aug 14 08:50:43 server polkitd[618]: Loading rules from directory /etc/polkit-1/rules.d
Aug 14 08:50:43 server polkitd[618]: Loading rules from directory /usr/share/polkit-1/rules.d
Aug 14 08:50:43 server polkitd[618]: Finished loading, compiling and executing 2 rules
Aug 14 08:50:43 server polkitd[618]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Aug 14 08:50:48 server sshd[816]: Server listening on 0.0.0.0 port 22.
Aug 14 08:50:48 server sshd[816]: Server listening on :: port 22.
Aug 14 08:51:49 server login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Aug 14 08:51:49 server login: ROOT LOGIN ON tty1
Aug 14 08:52:11 server sshd[2282]: Accepted password for root from 192.168.122.1 port 58025 ssh2
Aug 14 08:52:11 server sshd[2282]: pam_unix(sshd:session): session opened for user root by (uid=0)
To view a list of successful logins using the ssh protocol use

[root@server ~]# cat /var/log/secure | grep ‘sshd.*opened’
Aug 10 12:08:07 localhost sshd[10192]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 10 12:25:32 server sshd[1945]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 10 12:43:31 server sshd[2003]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 14 08:52:11 server sshd[2282]: pam_unix(sshd:session): session opened for user root by (uid=0)

To view a list of logins using the login terminal use

[root@server ~]# cat /var/log/secure | grep ‘login.*tty’
Aug 9 19:57:01 localhost login: ROOT LOGIN ON tty1
Aug 10 12:07:43 localhost login: ROOT LOGIN ON tty1
Aug 14 08:51:49 server login: ROOT LOGIN ON tty1

[root@server ~]# logout
Connection to 192.168.122.39 closed.

mohammedrafi@NOC-RAFI:~$ ssh root@192.168.122.39
root@192.168.122.39’s password:
Permission denied, please try again.
root@192.168.122.39’s password:
Permission denied, please try again.
root@192.168.122.39’s password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
mohammedrafi@NOC-RAFI:~$ ssh root@192.168.122.39
root@192.168.122.39’s password:
Last failed login: Sun Aug 14 08:57:51 IST 2016 from 192.168.122.1 on ssh:notty
There were 3 failed login attempts since the last successful login.
Last login: Sun Aug 14 08:52:11 2016 from 192.168.122.1
To view a list of failed attempts using the ssh protocol use

[root@server ~]# cat /var/log/secure | grep ‘sshd.*Failed’
Aug 14 08:57:44 server sshd[2365]: Failed password for root from 192.168.122.1 port 58028 ssh2
Aug 14 08:57:47 server sshd[2365]: Failed password for root from 192.168.122.1 port 58028 ssh2
Aug 14 08:57:51 server sshd[2365]: Failed password for root from 192.168.122.1 port 58028 ssh2
[root@server ~]# tail /var/log/messages
Aug 14 08:51:54 server systemd: Started puppetserver Service.
Aug 14 08:51:54 server systemd: Reached target Multi-User System.
Aug 14 08:51:54 server systemd: Starting Multi-User System.
Aug 14 08:51:54 server systemd: Started Stop Read-Ahead Data Collection 10s After Completed Startup.
Aug 14 08:51:54 server systemd: Starting Update UTMP about System Runlevel Changes…
Aug 14 08:51:54 server systemd: Started Update UTMP about System Runlevel Changes.
Aug 14 08:51:54 server systemd: Startup finished in 440ms (kernel) + 2.116s (initrd) + 1min 19.926s (userspace) = 1min 22.483s.
Aug 14 08:52:11 server systemd: Started Session 2 of user root.
Aug 14 08:52:11 server systemd-logind: New session 2 of user root.
Aug 14 08:52:11 server systemd: Starting Session 2 of user root.
[root@server ~]# tail /var/log/audit/audit.log
type=USER_AUTH msg=audit(1471144931.511:57): pid=2282 uid=0 auid=4294967295 ses=4294967295 msg=’op=success acct=”root” exe=”/usr/sbin/sshd” hostname=? addr=192.168.122.1 terminal=ssh res=success’
type=CRED_ACQ msg=audit(1471144931.511:58): pid=2282 uid=0 auid=4294967295 ses=4294967295 msg=’op=PAM:setcred grantors=pam_unix acct=”root” exe=”/usr/sbin/sshd” hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=success’
type=LOGIN msg=audit(1471144931.511:59): pid=2282 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=2 res=1
type=USER_START msg=audit(1471144931.521:60): pid=2282 uid=0 auid=0 ses=2 msg=’op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct=”root” exe=”/usr/sbin/sshd” hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=success’
type=USER_LOGIN msg=audit(1471144931.526:61): pid=2284 uid=0 auid=0 ses=2 msg=’op=login id=0 exe=”/usr/sbin/sshd” hostname=192.168.122.1 addr=192.168.122.1 terminal=/dev/pts/0 res=success’
type=USER_START msg=audit(1471144931.526:62): pid=2284 uid=0 auid=0 ses=2 msg=’op=login id=0 exe=”/usr/sbin/sshd” hostname=192.168.122.1 addr=192.168.122.1 terminal=/dev/pts/0 res=success’
type=CRYPTO_KEY_USER msg=audit(1471144931.526:63): pid=2284 uid=0 auid=0 ses=2 msg=’op=destroy kind=server fp=52:5b:8a:32:6d:00:3c:6b:0a:3e:de:a9:0f:5f:00:0c direction=? spid=2284 suid=0 exe=”/usr/sbin/sshd” hostname=? addr=192.168.122.1 terminal=pts/0 res=success’
type=CRYPTO_KEY_USER msg=audit(1471144931.526:64): pid=2284 uid=0 auid=0 ses=2 msg=’op=destroy kind=server fp=49:98:67:a6:af:44:ef:8b:12:58:09:e5:94:64:9e:a4 direction=? spid=2284 suid=0 exe=”/usr/sbin/sshd” hostname=? addr=192.168.122.1 terminal=pts/0 res=success’
type=CRYPTO_KEY_USER msg=audit(1471144931.527:65): pid=2284 uid=0 auid=0 ses=2 msg=’op=destroy kind=server fp=b7:19:5d:83:27:86:f1:2a:57:c3:ba:18:7c:0a:45:58 direction=? spid=2284 suid=0 exe=”/usr/sbin/sshd” hostname=? addr=192.168.122.1 terminal=pts/0 res=success’
type=CRED_REFR msg=audit(1471144931.527:66): pid=2284 uid=0 auid=0 ses=2 msg=’op=PAM:setcred grantors=pam_unix acct=”root” exe=”/usr/sbin/sshd” hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=success’
[root@server ~]# last root
root pts/0 192.168.122.1 Sun Aug 14 08:57 still logged in
root pts/0 192.168.122.1 Sun Aug 14 08:52 – 08:57 (00:05)
root tty1 Sun Aug 14 08:51 still logged in
root pts/0 192.168.122.1 Wed Aug 10 12:43 – down (05:08)
root pts/0 192.168.122.1 Wed Aug 10 12:25 – down (00:17)
root pts/0 192.168.122.1 Wed Aug 10 12:08 – down (00:16)
root tty1 Wed Aug 10 12:07 – 12:24 (00:17)
root tty1 Tue Aug 9 19:57 – 19:57 (00:00)

wtmp begins Tue Aug 9 19:56:37 2016

[root@server ~]# tail /etc/passwd
systemd-network:x:998:996:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:997:995:User for polkitd:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rafi:x:1000:1000:rafi:/home/rafi:/bin/bash
puppet:x:52:52:Puppet:/var/lib/puppet:/sbin/nologin
nagios:x:1001:1001::/usr/local/nagios/:/bin/bash
mshaik:x:1002:1003::/home/mshaik:/bin/bash

[root@server ~]# last mshaik

wtmp begins Tue Aug 9 19:56:37 2016

[root@server ~]# lastb mshaik

btmp begins Sun Aug 14 08:57:44 2016

[root@server ~]# lastb root
root ssh:notty 192.168.122.1 Sun Aug 14 08:57 – 08:57 (00:00)
root ssh:notty 192.168.122.1 Sun Aug 14 08:57 – 08:57 (00:00)
root ssh:notty 192.168.122.1 Sun Aug 14 08:57 – 08:57 (00:00)

btmp begins Sun Aug 14 08:57:44 2016

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s