Background for LogAudit
I was recently approached by one of my clients who had a breach on one of their servers. Thinking FCAPS (Fault Management, Configuration, Accounting, Performance, Security), I knew the first place to start on the box was the auth.log file. Being an Ubuntu 11.04 box, the log files were located at /var/log/. Some distributions change the log location, but it’s just about against standard to do so. That’s where I came up with the idea for LogAudit.
I made a PHP script that would import the log file and match up the session start and session close entries. This would allow you to see how long a session was allocated for, who the user was, when it started and ended, as well as the module and sub-module which allowed the authentication. I whipped together LogAudit within a couple of minutes and had a method of procedure for the customer within an hour.
Here is an example of what two of the log entries looked like:
Aug 23 22:36:53 angryserver sshd[8049]: pam_unix(sshd:session): session opened for user sixeightzero
Aug 23 23:19:26 angryserver sshd[8049]: pam_unix(sshd:session): session closed for user sixeightzeroNote: Please not that unless you adjust the permissions on the platform to be readable by the user executing this script, by default, root access is required to run this script.
Get The Code
You can download the LogAudit Source Code here.
It is a simple ZIP file.
Usage
Here are a few methods built-in:
<?php
// Include Parser.php - The LogAudit Source
include('Parser.php');
// Create an instance of the Auth Class
// If an argument is passed, it is expecting
// a username.
// @ $arg Not Required
$Audit = new LogAuditAuth('sixeightzero');
// $Audit->getLength will search for entries that
// match your operator passed as a string in the
// argument.
foreach($Audit->getLength('> 10200') as $Entry){
// $Entry contains all entries which
// are greater than 10200 seconds
print_r($Entry);
}
// $Audit->getUser will search for entries that
// were logged by the specified user.
// NOTE: If you start the class with a user,
// this will only return results for the user
// passed in the construct
foreach($Audit->getUser('root') as $Entry){
// $Entry contains all entries which
// occured for the root user
print_r($Entry);
}
// $Audit->getMonth will search for entries that
// occured in the specified numeric month
foreach($Audit->getMonth(12) as $Entry){
// $Entry contains all entries which
// occured during the provided month
print_r($Entry);
}
// $Audit->getModule will search for entries that
// were created by the daemon/log source you supply
foreach($Audit->getModule('sshd') as $Entry){
// $Entry contains all entries which
// were created by sshd
print_r($Entry);
}
// $Audit->getHost will search for entries that
// were generated by the provided host
foreach($Audit->getHost('angryserver') as $Entry){
// $Entry contains all entries which
// were created on angryserver. This
// is useful for a syslog server
print_r($Entry);
}Here is an example returned object:
stdClass Object
(
[entry] => Aug 23 22:36:53 angryserver sshd[8049]: pam_unix(sshd:session): session opened for user sixeightzero
[date] => 22:36:53
[time] => Aug-23
[start_timestamp] => 1345775813
[end_timestamp] => 1345788487
[host] => angryserver
[daemon] => sshd
[pid] => 8049
[module] => sshd
[function] => session
[user] => sixeightzero
[month] => 08
[day] => 23
[session_time] => 12674
[searched_for] => session_time
)
stdClass Object
(
[entry] => Aug 29 20:10:01 angryserver sshd[31908]: pam_unix(sshd:session): session opened for user sixeightzero
[date] => 20:10:01
[time] => Aug-29
[start_timestamp] => 1346285401
[end_timestamp] => 1346476329
[host] => angryserver
[daemon] => sshd
[pid] => 31908
[module] => sshd
[function] => session
[user] => sixeightzero
[month] => 08
[day] => 29
[session_time] => 190928
[searched_for] => session_time
)