![]() These fields can be used to analyze other authentication related metrics, such as users logged in at the same time from multiple remote locations.įinally, you might also want to look at other similar searches to this in our article Managing *nix system user account behavior. Interesting fields that are extracted by the add-on include dest (destination), pid (process id), process (process name), src_port (port of the authentication process), sshd_protocol, and user. Oct 23 19:43:12 acmepayroll sshd: Accepted password for root from 10.11.36.11 port 2958 ssh2 The data in this example is usually found in the Linux auth.log and is given the sourcetype of linux_secure by the Splunk Add-on. ![]() Controlling administrative privileges is not only a security measure but also an aid in root cause for misconfigurations. Sudo is one way to control such privileges and the report generated by this search can be used to discover and give attestation to compliance to the control. The above report is also useful for compliance because many controls, such as the CIS Controls, state that an organization must show controlled use of administrative privileges. This makes it possible to trace back privileged actions to known users on the system rather than unknown users who gain direct access as root but know the root password. In the case above, we have no idea what identity was behind the root user who logged in to 10.2.1.35. ssh and execute several commands as another user through a heredoc. Source environment variables and execute bash before running local script on remote machine. ![]() bash script starting new shell and continuing to run commands. It is a best practice to not allow direct root access to the system but rather to always require sudo to gain access to privileged functions. SSH to server, Sudo su - then run commands in bash. Note that the above sample output shows two instances of root as a user, which indicates direct root access to the system. sites-available/default-ssl 000-default-ssl For example, if user Tom used sudo to edit important config files found in the /etc, you might be able to confirm those changes caused a service to malfunction. Knowing this information can identify problems with the system that are the result of system configuration changes. See sudo documentation to learn how to do that.The resulting table shows which users ran which command with administrative privileges. So you may be able to do the above only if you are allowed to do sudo su without being prompted with password. However you will not be able to provide a password for su (see remote command execution limitations).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |