💾 Archived View for gemlog.blue › users › alien › 1649947907.gmi captured on 2023-09-08 at 16:53:31. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2022-04-28)
-=-=-=-=-=-=-
There are certain files that are specially important for many reasons. Maybe itś a file you want to keep an eye on, or itś an important system file that you don't want people to take a look at (such as /etc/shadow or /etc/passwd in which there's key information regarding users and their passwords). (check here for more info about those files -> https://linuxize.com/post/etc-shadow-file/). In order to track them or using general hardening, one of the most popular options is SELinux kernel, but it's a little bit messy to configure and work with. In order to work around this very specific task of keeping an eye on a file, We are going to use a tool called auditd. First, it comes the installation. If you are new on Linux terminal commands, take a look at this article in which I explain about apt, cd, ls, mkdir, cat and git -> https://proxy.vulpes.one/gemini/gemlog.blue/users/alien/1649863071.gmi. Then, we will use apt to download auditd:
sudo apt install auditd audispd-plugins
Sometimes you will see apt-get instead of apt. Just so you know, itś not recommended to use it as itś a little bit deprecated already, comparing to simply using apt, but it will work almost the same! Now, this is a very special tool because it will work in the background, while you do your stuff, since it's meant to monitor files. So apart from installing, you will need to "start" it. This kind of tool is called service. So it would go like:
service auditd start
If for some reason you need to stop it, simply write:
service auditd stop
Now, auditd has so many options, we will focus on auditctl and ausearch. THe first one (auditctl) allows you to configure a monitoring option over a file, while ausearch allows you to check the logs. So for example, to set a rule over /etc/shadow file, we would do:
auditctl -w /etc/shadow -k shadow-file -p rwxa
If you encounter a permission issue, try executing the same line bus inclusing "sudo" before (sudo auditctl -w ...). auditcl command is used to perform the task, -w to select the file path, -k to give a keyname to the rule and -p to set the permission changes you want to monitor, in this case all of them! If we wanted to monitor only reading on /etc/passwr file, we would write:
auditctl -w /etc/passwd -k passwd-file -p r
Now if we let it work for a few minutes and we try to read any of those files, we could check the logs in order to see our reading attempts. for that we could use:
ausearch -f /etc/passwd
For passwd, or:
ausearch -f /etc/shadow
For /etc/shadoww file. Again if it doesn't work at first, try using "sudo" before (sudo ausearch -f...). You could ad -i youruser if you just want to monitor your own user:
ausearch -f /etc/shadow -i user
While "user" is the name of your user. IN any case, to make it easier, I created a script (a little code) in Bash (the linux scripting language) to help you out. It's here: https://git.sr.ht/~alienagain/gigur/tree/master/item/monitoring
If you haven't cloned my repository already, do so using:
git clone https://git.sr.ht/~alienagain/gigur
If you don't know what I'm talking about check this article -> https://proxy.vulpes.one/gemini/gemlog.blue/users/alien/1649863071.gmi
Now, first of all if you Linux is brand new, you might need to install some basic stuff. Go to requirements and use the script called "install_requirements.sh":
cd requirements
chmod u+x install_*
./install_requirements.sh
In this three commands I: got inside the folder called requirements; gave executing permissions to my user (chmod u+x) for the files which are called install_ and something else whatever it is (install_*); executed (./) the script called install_requirements.sh. Now we are all set. Let's go back to the main folder:
cd ..
This script I wrote is in a folder called "monitoring", so go inside that folder:
cd monitoring
Now, we will do similar than before and gave permissions to the script before executing:
chmod u+x monitor_files.sh
./monitor_files.sh
Now, if everything went okay, you will see the menu:
| \_____/ |
/ º º \ awoo
( w )
1 - Monitor a file
2 - Check file log
3 - Upload logs to a zip file
>
The first option do auditctl over selected files, the second options performs ausearch over selected files and the third one prepares a nice zip for you to save information fast and easy. But the whole scripts works using the concepts explained above + some other Linux magic. If you are curious you can use:
cat monitor_files.sh
Which will show you the code of the script. It's commented to help you (and myself) understand it.