How to Configure PAM to Audit Logging Shell User Activity

This is our ongoing series on Linux Auditing, in this fourth part of this article, we will explain how to configure PAM for auditing of Linux TTY input (Logging Shell User Activity) for specific users using pam_tty_audit tool.

Linux PAM (Pluggable Authentication Modules) is a highly flexible method for implementing authentication services in applications and various system services; it emerged from the original Unix PAM.

It divides authentication functions into four major management modules, namely: account modules, authentication modules, password modules and session modules. The detailed explanation of theses management groups is beyond the scope of this tutorial.

The auditd tool uses the pam_tty_audit PAM module to enable or disable auditing of TTY input for specified users. Once a user is configured to be audited, pam_tty_audit works in conjunction with the auditd to track a users actions on the terminal and if configured, capture the exact keystrokes the user makes, then records them in the /var/log/audit/audit.log file.

Configuring PAM for Auditing User TTY Input in Linux


You can configure PAM for auditing a particular users TTY input in the /etc/pam.d/system-auth and /etc/pam.d/password-auth files, using the enable option. On the other hand, as expected, the disable turns it off for the specified users, in the format below:

session required pam_tty_audit.so disable=username,username2... enable=username,username2..

To turn on logging of actual user keystrokes (including spaces, backspaces, return keys, the control key, delete key and others), add the log_passwd option together with the other options, using this form:

session required pam_tty_audit.so disable=username,username2... enable=username log_passwd

But before you perform any configurations, note that:

  • As seen in the syntax above, you can pass many usernames to the enable or disable option.
  • Any disable or enable option overrides the previous opposite option that matches the same username.
  • After enabling TTY auditing, it is inherited by all processes initiated by the defined user.
  • If recording of keystrokes is activated, the input is not logged instantly, since TTY auditing first stores the keystrokes in a buffer and writes the buffer content at given intervals, or after the audited user logs out, into the /var/log/audit/audit.log file.

Let’s look at an example below, where we’ll configure pam_tty_audit to record the actions of the user tecmint including keystrokes, across all terminals, while we disable TTY auditing for all other system users.

Open these two following configuration files.

# vi /etc/pam.d/system-auth
# vi /etc/pam.d/password-auth

Add following line to the configuration files.
session required pam_tty_audit.so disable=* enable=tecmint

And to capture all keystrokes entered by the user tecmint, we can add the log_passwd option a shown.

session required pam_tty_audit.so disable=* enable=tecmint log_passwd

Now save and close the files. Afterwards, view the auditd log file for any TTY input recorded, using the aureport utility.

# aureport --tty
Audit User TTY in Linux

Audit User TTY in Linux

From the output above, you can see the user tecmint whose UID is 1000 used the vi/vim editor, created a directory called bin and moved into it, cleared the terminal and so on.

To search for TTY input logs recored with time stamps equal to or after a specific time, use the -ts to specify the start date/time and -te to set the end date/time.

The following are some example:

# aureport --tty -ts 09/25/2017 00:00:00 -te 09/26/2017 23:00:00
# aureport --tty -ts this-week

You can find more information, in the pam_tty_audit man page.

# man pam_tty_audit

Check out following useful articles.

  1. Configure “No Password SSH Keys Authentication” with PuTTY on Linux Servers
  2. Setting Up LDAP-based Authentication in RHEL/CentOS 7
  3. How to Setup Two-Factor Authentication (Google Authenticator) for SSH Logins
  4. SSH Passwordless Login Using SSH Keygen in 5 Easy Steps
  5. How to Run ‘sudo’ Command Without Entering a Password in Linux

In this article, we described how to configure PAM for auditing of input for specific users on CentOS/RHEL. If you have any questions or additional ideas to share, use the comment from below.

How to Audit Linux Process Using ‘autrace’ on CentOS/RHEL

This article is our ongoing series on Linux Auditing, in our last three articles we have explained how to audit Linux systems (CentOS and RHEL), query auditd logs using ausearch and generate reports using aureport utility.

In this article, we will explain how to audit a given process using autrace utility, where we’ll analyze a process by tracing the system calls a process makes.

Read Also: How to Trace Execution of Commands in Shell Script with Shell Tracing

What is autrace?

autrace is a command line utility that runs a program until it exits, just like strace; it adds the audit rules to trace a process and saves the audit information in /var/www/audit/audit.log file. For it to work (i.e before running the selected program), you must first delete all existing audit rules.


The syntax for using autrace is shown below, and it only accepts one option, -r which limits syscalls collected to ones required for assessing resource usage of the process:

# autrace -r program program-args

Attention: In the autrace man page, the syntax as follows, which is actually a documentation mistake. Because using this form, the program you run will assume you’re using one of its internal option thus resulting into an error or performing the default action enabled by the option.

# autrace program -r program-args

If you have any audit rules present, autrace shows the following error.

# autrace /usr/bin/df

autrace Error

autrace Error

First delete all the auditd rules with the following command.

# auditctl -D

Then proceed to run autrace with your target program. In this example, we are tracing the execution of df command, which shows filesystem usage.

# autrace /usr/bin/df -h

Trace df Command

Trace df Command

From the screenshot above, you can find all the log entries to do with the trace, from the audit log file using ausearch utility as follows.

# ausearch -i -p 2678

Where the option:

  • -i – enables interpreting of numeric values into text.
  • -p – passes the process ID to be searched.

Audit Report of df Command

Audit Report of df Command

To generate a report about the trace details, you can build a command line of ausearch and aureport like this.

# ausearch -p 2678 --raw | aureport -i -f

Where:

  • --raw – tells ausearch to deliver raw input to aureport.
  • -f – enables reporting about files and af_unix sockets.
  • -i – allows interpreting of numeric values into text.

Generate Trace Report of df Command

Generate Trace Report of df Command

And using the command below, we are limiting the syscalls gathered to ones needed for analyzing resource usage of the df process.

# autrace -r /usr/bin/df -h

Assuming you have autraced a program for the last one week; meaning there is a lot of information dumped in the audit logs. To produce a report for only today’s records, use the -ts ausearch flag to specify the start date/time for searching:

# ausearch -ts today -p 2678 --raw | aureport -i -f

Generate Trace Report based on Time

Generate Trace Report based on Time

That’s it! this way you can trace and audit specific Linux process using autrace tool, for more information check man pages.

You can also read out these related, useful guides:

  1. Sysdig – A Powerful System Monitoring and Troubleshooting Tool for Linux
  2. BCC – Dynamic Tracing Tools for Linux Performance Monitoring, Networking and More
  3. 30 Useful ‘ps Command’ Examples for Linux Process Monitoring
  4. CPUTool – Limit and Control CPU Utilization of Any Process in Linux
  5. Find Top Running Processes by Highest Memory and CPU Usage in Linux

That’s all for now! You can ask any questions or share thoughts about this article via the comment from below. In the next article, we will describe how to configure PAM (Pluggable Authentication Module) for auditing of TTY input for specified users CentOS/RHEL.

15 Useful ‘Sockstat Command Examples’ to Find Open Ports in FreeBSD

Sockstat is a versatile command line utility used for displaying network and system opened sockets in FreeBSD. Mainly, sockstat command is installed by default in FreeBSD and it’s commonly used for displaying the name of the processes who opened a certain network port on a FreeBSD system.

However, sockstat can also list open sockets based on protocol version (both IP versions), on the state of the connection and on what ports a daemon or a program binds and listens on.

Read Also: 20 Useful ‘netstat’ Command Examples to Check Network Connections

It can also display inter-process communication sockets, typically known as Unix domain sockets or IPC. Sockstat command combined with grep filter or piped through awk utility proves to be a powerful tool for the local networking stack.


It can shrink the results for an opened connection based on the user who owns the socket, the file descriptor of a network socket or the PID of the process who opened the socket.

In this guide we’ll list some common utilization examples, but also very powerful, of sockstat command line networking utility in FreeBSD.

Requirements

  1. FreeBSD 11.1 Installation Guide

1. List All Opened Ports in FreeBSD

Simply executed without any options or switches, sockstat command will display all opened sockets in a FreeBSD system, as illustrated in the below screenshot.

# sockstat

Display Network Ports in FreeBSD

Display Network Ports in FreeBSD

The values displayed in the sockstat output are described as:

  • USER : The owner (user account) of the socket.
  • COMMAND : The command which with opened the socket.
  • PID : The process ID of the command which owns the socket.
  • FD : The file descriptor number of the socket.
  • PROTO : The transport protocol (usually TCP/UDP) associated with the opened socket or socket type in case of unix domain sockets (datagram, stream or seqpac) for UNIX sockets.
  • LOCAL ADDRESS : It represents the local IP address for IP based sockets. In case of Unix sockets it represents endpoint filename attached to the socket. The “??” notation implies that the socket endpoint could not be recognized or established.
  • FOREIGN ADDRESS : The remote IP address where the socket is connected to.

2. List Listening or Opened Ports in FreeBSD

Executed with the -l flag, sockstat command will display all listening sockets opened in the networking stack and all opened unix domain sockets or named pipes involved in some kind of local data processing in the system.

# sockstat -l

List Opened Network Ports

List Opened Network Ports

3. List IPv4 Opened Ports in FreeBSD

To display all opened sockets for IPv4 protocol only, issue the command with the -4 flag, as suggested in the below example.

# sockstat -4

List IPv4 Opened Ports in FreeBSD

List IPv4 Opened Ports in FreeBSD

4. List IPv6 Opened Ports in FreeBSD

Similar to IPv4 version, you can also display the opened network sockets for IPv6 only, by issuing the command as shown below.

# sockstat -6

List IPv6 Opened Ports

List IPv6 Opened Ports

5. List TCP or UDP Opened Ports in FreeBSD

In order to display network sockets based only on a specified network protocol, such as TCP or UDP, use the -P flag, followed by the argument name of the protocol.

The protocol names can be found by inspecting the content of the /etc/protocols file. Currently, the ICMP protocol is not supported by the sockstat tool.

Show only TCP sockets
# sockstat -P tcp

List TCP Opened Ports

List TCP Opened Ports

Show only UDP sockets
# sockstat -P udp

List UDP Opened Ports

List UDP Opened Ports

Chain both protocols.

# sockstat –P tcp,udp

6. List TCP and UDP Specific Port Numbers

If you want to display all TCP or UDP IP opened sockets, based on the local or remote port number, use the below command flags and syntax, as illustrated in the below screenshot.

# sockstat -P tcp -p 443 [Show TCP HTTPS Port]
# sockstat -P udp -p 53 [Show UDP DNS Port] # sockstat -P tcp -p 443,53,80,21 [Show Both TCP and UDP]

List Specific TCP Port

List Specific TCP Port

7. List Opened and Connected Ports in FreeBSD

In order to display all opened and connected sockets, use the -c flag. As shown in the below samples, you can list all HTTPS connected sockets or all TCP connected sockets by issuing the commands.

# sockstat -P tcp -p 443 -c
# sockstat -P tcp -c

List Opened and Connected Ports

List Opened and Connected Ports

8. List Network Listening Ports in FreeBSD

To list all opened TCP sockets in listening state append the -l and -s flags, as shown in the below example. Being a connectionless protocol, UDP maintains no information about the state of the connection.

UDP opened sockets cannot be displayed by using their state, because the udp protocol uses datagrams to send/receive data and has no build-in mechanism to determine the state of the connection.

# sockstat -46 -l -s

List Network Listening Ports

List Network Listening Ports

9. List Unix Sockets and Named Pipes

Unix domain sockets, as well as other forms of local inter-process communication, such as named pipes, can be displayed by sockstat command by using the -u flag, as shown in the below image.

# sockstat -u

List Unix Sockets

List Unix Sockets

10. List Ports Opened by Application in FreeBSD

Sockstat command output can be filtered through grep utility in order to display a list of ports opened by a specific application or command.

Suppose you want to list all sockets associated with Nginx web server, you can issue the following command to achieve the task.

# sockstat -46 | grep nginx

List Application Listening Sockets

List Application Listening Sockets

To display only the connected sockets associated with Nginx web server, issue the following command.

# sockstat -46 -c| grep nginx

11. List HTTPS Connected Protocols

You can list all connected sockets associated with HTTPS protocol alongside the state of each connection by running the below command.

# sockstat -46 -s -P TCP -p 443 -c

List HTTPS Connected Protocols

List HTTPS Connected Protocols

12. List HTTP Remote Sockets

To list all remote sockets associated with the HTTP protocol, you can run one of the following command combinations.

# sockstat -46 -c | egrep '80|443' | awk '{print $7}' | uniq -c | sort -nr
# sockstat -46 -c -p 80,443 | grep -v ADDRESS|awk '{print $7}' | uniq -c | sort -nr

List Remote HTTP Protocols

List Remote HTTP Protocols

13. Find Highest HTTP Requests By IP Addresses

In case you want to find how many HTTP connections are requested by each remote IP address, issue the below command. This command can be very useful in case you want to determine if your web server is under some kind of DDOS attack. In case of suspicions, you should investigate the IP addresses with the highest request rate.

# sockstat -46 -c | egrep '80|443' | awk '{print $7}' | cut -d: -f1 | uniq -c | sort –nr

14. List DNS Opened Sockets

If you have configured a caching and forward DNS server at your premises to serve internal clients via TCP transport protocol and you want to display a list of all sockets
opened by the resolver, along with the state of each socket connection, execute the following command.

# sockstat -46 -P tcp –p 53 -s

List DNS Opened Sockets

List DNS Opened Sockets

15. Query TCP DNS on Local Domain

If there’s no DNS traffic on the network, you can manually trigger a DNS query on the TCP socket from the local machine’s console by running the following dig command. Afterwards, issue the above command to list all resolver sockets.

# dig +tcp www.domain.com @127.0.0.1

Query TCP DNS on Local

Query TCP DNS on Local

That’s all! Along with netstat and lsof command line utilities, sockstat command line is a powerful utility used for acquiring network information and troubleshoot multiple aspects of FreeBSD networking stack and networking related processes and services.

The FreeBSD sockstat command counterpart in Linux is represented by the netstat or the newly ss command. Believe it or not, based on sockstat utility, you can find a similar application developed for Android OS, named SockStat – Simple Netstat GUI.

Get AWS Solution Architect Certification Training Course

Amazon Web Services (AWS) is the world’s largest on-demand cloud computing platform, offering a variety of products from computing to storage, databases, migration, networking and content delivery. With The AWS Solution Architect Certification Training Bundle, will give you an introduction to the basics of AWS cloud computing.

Get certified to manage cloud computing services for individuals, companies and governments offered by the worlds best cloud computing services provider, at 92% off or for as low as $49 on Tecmint Deals.

The training in this bundle will start with a study of AWS architectural principles and services, then you’ll proceed to learn how to plan, design and scale comprehensive AWS cloud operations.

With up to 22 hours of top-rated elearning content 24/7, you’ll learn how to navigate the AWS management console and acquire skills in using services such as EC2, S3, RDS as well as EBS.


You’ll master how to develop solution plans and offer assistance on architectural best practices to meet an individual’s or enterprises’ cloud computing demands. Thereafter, you’ll acquire skills and knowledge to design and deploy scalable, highly-available, and fault-tolerant systems and applications on AWS.

Furthermore, you’ll learn to use the lift and shift cloud computing model to deal with existing on-premises applications. You’ll also break down the ingress and egress of data to and from AWS and so much more.

Additionally, you’ll build expertise on choosing the most suitable and best AWS services based on data, compute, database, content delivery or security requirements of an individual, organization or government agency.

Become a certified cloud computing architect and master how to manage Amazon Web Services, the world’s largest and best cloud computing platform. Subscribe to this bundle today, for a limited time at 92% off.

How to Create Reports from Audit Logs Using ‘aureport’ on CentOS/RHEL

This article is our ongoing series on Linux Auditing, in our last two articles we have explained how to install and audit Linux systems (CentOS and RHEL) and how to query logs using ausearch utility.

In this third part, we will explain how to generate reports from audit log files using aureport utility in CentOS and RHEL based Linux distributions.

Read Also: How to Produce and Deliver System Activity Reports Using Linux Toolsets

What is aureport?

aureport is a command line utility used for creating useful summary reports from the audit log files stored in /var/log/audit/. Like ausearch, it also accepts raw log data from stdin.


It is an easy-to-use utility; simply pass an option for a specific kind of report that you need, as shown in the examples below.

Create Report Concerning Audit Rule Keys

The aurepot command will produce a report about all keys you specified in audit rules, using the -k flag.

# aureport -k 

Report Audit Rule Keys

Report Audit Rule Keys

You can enable interpreting of numeric entities into text (for example convert UID to account name) using the -i option.

# aureport -k -i

Create Report About Attempted Authentications

If you need a report about all events relating to attempted authentications for all users, use the -au option.

# aureport -au OR
# aureport -au -i

Summary of Login Authentication

Summary of Login Authentication

Produce Report Concerning Logins

The -l option tells aureport to generate a report of all logins as follows.

Check Login Authentications

Check Login Authentications

Report Failed Events on the System

The following command shows how to report all failed events.

# aureport --failed

Report Failed Events

Report Failed Events

Generate Summary Report for a Given Time Period

It is also possible to generate reports for a specified period of time; the -ts defines the start date/time and -te sets a end date/time. You can also use words like now, recent, today, yesterday, this-week, week-ago, this-month, this-year instead of actual time formats.

# aureport -ts 09/19/2017 15:20:00 -te now --summary -i OR
# aureport -ts yesterday -te now --summary -i 

Generate a Summary Report

Generate a Summary Report

Produce report From Different Audit Log File

If you want to create a report from a different file other than the default log files in /var/log/audit directory, use the -if flag to specify the file.

This command reports all logins recorded in /var/log/tecmint/hosts/node1.log.

# aureport -l -if /var/log/tecmint/hosts/node1.log 

You can find all options and more information in the aureport man page.

# man aureport

Below is a list of articles concerning log management, and report generation tools in Linux:

  1. 4 Good Open Source Log Monitoring and Management Tools for Linux
  2. SARG – Squid Analysis Report Generator and Internet Bandwidth Monitoring Tool
  3. Smem – Reports Memory Consumption Per-Process and Per-User Basis in Linux
  4. How to Manage System Logs (Configure, Rotate and Import Into Database)

In this tutorial, we showed how to generate summary reports from audit log files in RHEL/CentOS/Fedora. Use the comment section below to ask any questions or share any thoughts concerning this guide.

Next, we’ll show how to audit a specific process using ‘autrace’ utility, until then, keep locked to Tecmint.

Chkservice – An Easy Way to Manage Systemd Units in Terminal

Systemd (system daemon) is a modern system management daemon for Linux systems. Systemd is a replacement for init system manager; it controls system startup and services, and introduces the idea of units (managed via unit files) to identify different types of system resources such as services, devices, swap, automount, targets, paths, sockets and others.

It ships in with systemctl, a component for controlling systemd’s behavior and units (starting, stopping, restarting, viewing status etc) using the command line. What if you simply want to manage units using keyboard shortcuts, that is where chkservice comes in.

Read Also: How to Manage ‘Systemd’ Services and Units Using ‘Systemctl’ in Linux

Chkservice is an easy-to-use, ncurses-based command line tool for managing systemd units on a terminal. It lists units alphabetically under the categories (services, targets, automounts etc), showing the their status and description, and allows you, with superuser privileges to start, stop, enable and disable units.

Install chkservice in Linux Systems


On Debian and its derivatives, chkservice can be easily installed using its own PPA as shown.

$ sudo add-apt-repository ppa:linuxenko/chkservice
$ sudo apt-get update
$ sudo apt-get install chkservice

On Fedora Linux distributions.

# dnf copr enable srakitnican/default
# dnf install chkservice

On Arch Linux distribution.

# git clone https://aur.archlinux.org/chkservice.git
# cd chkservice
# makepkg -si

On other Linux distributions, you can build the release version using following commands.

# git clone https://github.com/linuxenko/chkservice.git
# mkdir build
# cd build
# cmake ../
# make

Once you have installed chkservice, launch it with root privileges using the sudo command. It’s output consists of four columns, the first showing enabled/disabled/masked status, the second showing started/stopped status, unit name/type and last column is the unit description.

$ sudo chkservice

chkservice for Managing Systemd Services

chkservice for Managing Systemd Services

Chksericve unit status information:

  • [x] – shows a unit is enabled.
  • [ ] – shows a unit is disabled.
  • [s] – indicates a static unit.
  • -m- – shows a unit is masked.
  • = – indicates unit has been stopped.
  • > – shows unit is running.

Below are the chkservice navigation keys:

  • Up/k – move cursor up.
  • Down/j – move cursor down.
  • PgUp/b – move page up.
  • PgDown/f – move page down.

The following are chkservice action keys:

  • r – updates or reload information.
  • Space bar – used to enable or disable a unit.
  • s – for starting or stopping a unit.
  • q – exit.

To view the help page as shown in the screenshot below, use ? (press [Shift + /]).

Chkservice Help and Options

Chkservice Help and Options

chkservice Github repository: https://github.com/linuxenko/chkservice

You may also like to read these systemd related articles.

  1. How to Create and Run New Service Units in Systemd Using Shell Script
  2. Managing System Startup Process and Services (SysVinit, Systemd and Upstart)
  3. Manage Log Messages Under Systemd Using Journalctl
  4. How to Change Runlevels (targets) in SystemD

That’s it! If you encountered any errors during installation or want to ask questions, share any thoughts, use the comment form below.

How to Install Ubuntu via PXE Server Using Local DVD Sources

PXE or Preboot eXecution Environment is a server-client mechanism which instructs a client machine to boot form network.

In this guide we’ll show how to install Ubuntu Server via a PXE server with local HTTP sources mirrored from Ubuntu server ISO image via Apache web server. The PXE server used in this tutorial is Dnsmasq Server.

Requirements:

  1. Ubuntu Server 16.04 or 17.04 Installation
  2. A network interface configured with Static IP address
  3. Ubuntu Server 16.04 or 17.04 ISO image

Step 1: Install and Configure DNSMASQ Server

1. In order to setup the PXE server, on the first step login with the root account or an account with root privileges and install Dnsmasq package in Ubuntu by issuing the following command.

# apt install dnsmasq

2. Next, backup dnsmasq main configuration file and then start editing the file with the following configurations.

# mv /etc/dnsmasq.conf /etc/dnsmasq.conf.backup
# nano /etc/dnsmasq.conf


Add the following configuration to dnsmasq.conf file.

interface=ens33,lo
bind-interfaces
domain=mypxe.local
dhcp-range=ens33,192.168.1.230,192.168.1.253,255.255.255.0,1h
dhcp-option=3,192.168.1.1
dhcp-option=6,192.168.1.1
dhcp-option=6,8.8.8.8
server=8.8.4.4
dhcp-option=28,10.0.0.255
dhcp-option=42,0.0.0.0
dhcp-boot=pxelinux.0,pxeserver,192.168.1.14
pxe-prompt="Press F8 for menu.", 2
pxe-service=x86PC, "Install Ubuntu 16.04 from network server 192.168.1.14", pxelinux
enable-tftp
tftp-root=/srv/tftp

On the above configuration file replace the following lines accordingly.

  • interface Replace with your own machine network interface.
  • domain – Replace it with your domain name.
  • dhcp-range – Define your own network range for DHCP to allocate IPs to this network segment and how long should an IP address for a client should be granted.
  • dhcp-option=3 – Your Gateway IP.
  • dhcp-option=6 DNS Server IPs – several DNS IPs can be defined.
  • server – DNS forwarder IPs Address.
  • dhcp-option=28 – Your network broadcast address.
  • dhcp-option=42 – NTP server – use 0.0.0.0 Address is for self-reference.
  • dhcp-boot – the pxe boot file and the IP address of the PXE server (here pxelinux.0 and IP address of the same machine).
  • pxe-prompt – Uses can hit F8 key to enter PXE menu or wait 2 seconds before automatically switching to PXE menu.
  • pxe=service – Use x86PC for 32-bit/64-bit architectures and enter a menu description prompt under string quotes. Other values types can be: PC98, IA64_EFI, Alpha, Arc_x86, Intel_Lean_Client, IA32_EFI, BC_EFI, Xscale_EFI and X86-64_EFI.
  • enable-tftp – Enables the build-in TFTP server.
  • tftp-root – the system path for net boot files.

3. Also, after you’ve finished editing the dnsmasq configuration file, create the directory for the PXE netboot files by issuing the below command and restart dnsmasq daemon to apply changes. Check dnsmasq service status to see if it has been started.

# mkdir /srv/tftp
# systemctl restart dnsmasq.service
# systemctl status dnsmasq.service

Step 2: Install TFTP Netboot Files

4. On the next step grab the latest version of Ubuntu server ISO image for 64-bit architecture by issuing the following command.

# wget http://releases.ubuntu.com/16.04/ubuntu-16.04.3-server-amd64.iso

5. After Ubuntu server ISO has been downloaded, mount the image in /mnt directory and list the mounted directory content by running the below commands.

# mount -o loop ubuntu-16.04.3-desktop-amd64.iso /mnt/
# ls /mnt/

Verify Ubuntu ISO Files

Verify Ubuntu ISO Files

6. Next, copy the netboot files from Ubuntu mounted tree to tftp system path by issuing the below command. Also, list tftp system path to see the copied files.

# cp -rf /mnt/install/netboot/* /srv/tftp/
# ls /srv/tftp/

Copy and Verify TFTP Files

Copy and Verify TFTP Files

Step 3: Prepare Local Installation Source Files

7. The local network installation sources for Ubuntu server will be provided via HTTP protocol. First, install, start and enable Apache web server by issuing the following commands.

# apt install apache2
# systemctl start apache2
# systemctl status apache2
# systemctl enable apache2

8. Then, copy the content of the mounted Ubuntu DVD to Apache web server web root path by executing the below commands. List the content of Apache web root path to check if Ubuntu ISO mounted tree has been completely copied.

# cp -rf /mnt/* /var/www/html/
# ls /var/www/html/

9. Next, open HTTP port in firewall and navigate to your machine IP address via a browser (http://192.168.1.14/ubuntu) in order to test if you can reach sources via HTTP protocol.

# ufw allow http

Check HTTP Ubuntu Sources

Check HTTP Ubuntu Sources

Step 4: Setup PXE Server Configuration File

10. In order to be able to pivot the rootfs via PXE and local sources, Ubuntu needs to be instructed via a preseed file. Create the following local-sources.seed file in your web server document root path with the following content.

# nano /var/www/html/ubuntu/preseed/local-sources.seed

Add following line to local-sources.seed file.

d-i live-installer/net-image string http://192.168.1.14/ubuntu/install/filesystem.squashfs

Here, make sure you replace the IP address accordingly. It should be the IP address where web resources are located. In this guide the web sources, the PXE server and TFTP server are hosted on the same system. In a crowded network you might want to run PXE, TFTP and web services on separate machines in order to improve PXE network speed.

11. A PXE Server reads and executes configuration files located in pxelinux.cfg TFTP root directory in this order: GUID files, MAC files and default file.

The directory pxelinux.cfg is already created and populated with the required PXE configuration files because we’ve earlier copied the netboot files from Ubuntu mounted ISO image.

In order to add the above preseed statement file to Ubuntu installation label in PXE configuration file, open the following file for editing by issuing the below command.

# nano /srv/tftp/ubuntu-installer/amd64/boot-screens/txt.cfg

In Ubuntu PXE txt.cfg configuration file replace the following line as illustrated in the below excerpt.

append auto=true url=http://192.168.1.14/ubuntu/preseed/local-sources.seed vga=788 initrd=ubuntu-installer/amd64/initrd.gz --- quiet

The /srv/tftp/ubuntu-installer/amd64/boot-screens/txt.cfg file should have the following global content:

default install
label install
menu label ^Install Ubuntu 16.04 with Local Sources
menu default
kernel ubuntu-installer/amd64/linux
append auto=true url=http://192.168.1.14/ubuntu/preseed/local-sources.seed vga=788 initrd=ubuntu-installer/amd64/initrd.gz --- quiet label cli
menu label ^Command-line install
kernel ubuntu-installer/amd64/linux
append tasks=standard pkgsel/language-pack-patterns= pkgsel/install-language-support=false vga=788 initrd=ubuntu-installer/amd64/initrd.gz --- quiet

12. In case you want to add the preseed url statement to Ubuntu Rescue menu, open the below file and make sure you update the content as illustrated in the below example.

# nano /srv/tftp/ubuntu-installer/amd64/boot-screens/rqtxt.cfg

Add the followng configuration to rqtxt.cfg file.

label rescue
menu label ^Rescue mode
kernel ubuntu-installer/amd64/linux
append auto=true url=http://192.168.1.14/ubuntu/preseed/local-sources.seed vga=788 initrd=ubuntu-installer/amd64/initrd.gz rescue/enable=true --- quiet

The important line you should update is url=http://192.168.1.14/ubuntu/preseed/local-sources.seed which specifies the URL address where the pressed file is located in your network.

13. Finally, open Ubuntu pxe menu.cfg file and comment the first three lines in order to expand the PXE boot screen as illustrated in the below screenshot.

# nano /srv/tftp/ubuntu-installer/amd64/boot-screens/menu.cfg

Comment these three following lines.

#menu hshift 13
#menu width 49
#menu margin 8

PXE Menu Configuration

PXE Menu Configuration

Step 5: Open Firewall Ports in Ubuntu

14. Execute netstat command with root privileges to identify dnsmasq, tftp and web open ports in listening state on your server as illustrated in the below excerpt.

# netstat -tulpn

Verify Open Ports

Verify Open Ports

15. After you’ve identified all required ports, issue the below commands to open the ports in ufw firewall.

# ufw allow 53/tcp
# ufw allow 53/udp
# ufw allow 67/udp
# ufw allow 69/udp
# ufw allow 4011/udp

Step 6: Install Ubuntu with Local Sources via PXE

16. To install Ubuntu server via PXE and use the local network installation sources, reboot your machine client, instruct the BIOS to boot from network and at the first PXE menu screen choose the first option as illustrated in the below images.

Select Network Boot

Select Network Boot

Select PXE Boot Option

Select PXE Boot Option

Install Ubuntu using PXE

Install Ubuntu using PXE

17. The installation procedure should be performed as usual. When the installer reaches the Ubuntu archive mirror country setup, use the up keyboard arrow to move to the first option, which says: enter information manually.

Select Ubuntu Mirror Archive

Select Ubuntu Mirror Archive

18. Press [enter] key to update this option, delete the mirror string and add the IP address of the web server mirror sources and press enter to continue as illustrated in the below image.

http://192.168.1.14

Enter Ubuntu Mirror Archive Hostname

Enter Ubuntu Mirror Archive Hostname

19. On the next screen, add your mirror archive directory as shown below and press enter key to continue with the installation process and usually.

/ubuntu

Select Ubuntu Mirror Archive Directory

Select Ubuntu Mirror Archive Directory

20. In case you want to see information about what packages are downloaded from your network local mirror, press [CTRL+ALT+F2] keys in order to change machine virtual console and issue the following command.

# tail –f /var/log/syslog

Check Network Mirror Logs

Check Network Mirror Logs

21. After the installation of the Ubuntu server finishes, login to the newly installed system and run the following command with root privileges in order to update the repositories packages from local network sources to official Ubuntu mirrors.

The mirrors needs to be changed in order to update the system using the internet repositories.

$ sudo sed –i.bak ‘s/192.168.1.14/archive.ubuntu.com/g’ /etc/apt/sources.list

Change Ubuntu Network Sources

Change Ubuntu Network Sources

Assure you replace the IP address according to the IP address of your own web local sources.

Official Ubuntu Network Sources

Official Ubuntu Network Sources

That’s all! You can now update your Ubuntu server system and install all required software. Installing Ubuntu via PXE and a local network source mirror can improve the installation speed and can save internet bandwidth and costs in case of deploying a large number of servers in a short period of time at your premises.

11 Ways to Find User Account Info and Login Details in Linux

This article will show you eleven useful ways to find the information about users on a Linux system. Here we’ll describe commands to get a user’s account details, show login details as well as what users are doing on the system.

Read Also: How to Monitor Linux Commands Executed by System Users in Real-time

If you want to add users in Linux, use the useradd utility, and to modify or change any attributes of a already created user account, use the usermod via the command line as explained in the following guides:

  1. 15 Useful Practical Examples on ‘useradd’ Command
  2. 15 Useful Practical Examples on ‘usermod’ Command

We’ll start by looking at commands to find a user’s account information, then proceed to explain commands to view login details.

1. id Command


id is a simple command line utility for displaying a real and effective user and group IDs as follows.

$ id tecmint uid=1000(tecmint) gid=1000(tecmint) groups=1000(tecmint),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),130(sambashare)

2. groups Command

groups command is used to show all the groups a user belongs to like this.

$ groups tecmint
tecmint : tecmint adm cdrom sudo dip plugdev lpadmin sambashare

3. finger Command

finger command is used to search information about a user on Linux. It doesn’t come per-installed on many Linux systems.

To install it on your system, run this command on the terminal.

$ sudo apt install finger #Debian/Ubuntu $ sudo yum install finger #RHEL/CentOS
$ sudo dnf install finger #Fedora 22+

It shows a user’s real name; home directory; shell; login: name, time; and so much more as below.

$ finger tecmint
Login: tecmint Name: TecMint
Directory: /home/tecmint Shell: /bin/bash
On since Fri Sep 22 10:39 (IST) on tty8 from :0
2 hours 1 minute idle
No mail.
No Plan.

4. getent Command

getent is a command line utility for fetching entries from Name Service Switch (NSS) libraries from a specific system database.

To get a user’s account details, use the passwd database and the username as follows.

$ getent passwd tecmint
tecmint:x:1000:1000:TecMint,,,:/home/tecmint:/bin/bash

5. grep Command

grep command is a powerful pattern searching tool available on most if not all Linus systems. You can use it to find information about a specific user from the system accounts file: /etc/passwd as shown below.

$ grep -i tecmint /etc/passwd
tecmint:x:1000:1000:TecMint,,,:/home/tecmint:/bin/bash

6. lslogins Command

lslogins command shows information about known users in the system, the -u flag only displays user accounts.

$ lslogins -u
UID USER PROC PWD-LOCK PWD-DENY LAST-LOGIN GECOS
0 root 144 root
1000 tecmint 70 10:39:07 TecMint,,,
1001 aaronkilik 0 1002 john 0 John Doo

7. users Command

users command shows the usernames of all users currently logged on the system like so.

$ users
tecmint
aaron

8. who Command

who command is used to display users who are logged on the system, including the terminals they are connecting from.

$ who -u
tecmint tty8 2017-09-22 10:39 02:09 2067 (:0)

9. w Command

w command shows all users who are logged on the system and what they are doing.

$ w
12:46:54 up 2:10, 1 user, load average: 0.34, 0.44, 0.57
USER TTY FROM [email protected] IDLE JCPU PCPU WHAT
tecmint tty8 :0 10:39 2:10m 4:43 0.46s cinnamon-sessio

10. last or lastb commands

last/lastb commands displays a list of last logged in users on the system.

$ last OR
$ last -a #show hostname on the last column

List of Last Logged Users

tecmint tty8 Fri Sep 22 10:39 gone - no logout :0
reboot system boot Fri Sep 22 10:36 still running 4.4.0-21-generic
tecmint tty8 Thu Sep 21 10:44 - down (06:56) :0
reboot system boot Thu Sep 21 10:42 - 17:40 (06:58) 4.4.0-21-generic
tecmint tty8 Wed Sep 20 10:19 - down (06:50) :0
reboot system boot Wed Sep 20 10:17 - 17:10 (06:52) 4.4.0-21-generic
tecmint pts/14 Tue Sep 19 15:15 - 15:16 (00:00) tmux(14160).%146
tecmint pts/13 Tue Sep 19 15:15 - 15:16 (00:00) tmux(14160).%145
...

To show all the users who were present at a specified time, use the -p option as follows.

$ last -ap now
tecmint tty8 Fri Sep 22 10:39 gone - no logout :0
reboot system boot Fri Sep 22 10:36 still running 4.4.0-21-generic
wtmp begins Fri Sep 1 16:23:02 2017

11. lastlog Command

lastlog command is used to find the details of a recent login of all users or of a given user as follows.

$ lastlog OR
$ lastlog -u tecmint #show lastlog records for specific user tecmint

Records of Recent Logged Users

Username Port From Latest
root **Never logged in**
kernoops **Never logged in**
pulse **Never logged in**
rtkit **Never logged in**
saned **Never logged in**
usbmux **Never logged in**
mdm **Never logged in**
tecmint pts/1 127.0.0.1 Fri Jan 6 16:50:22 +0530 2017
..

That’s it! If you know any other command-line trick or command to view user account details do share with us.

You’ll find these related article so useful:

  1. How to Manage Users and Groups in Linux
  2. How to Delete User Accounts with Home Directory in Linux
  3. 3 Ways to Change Default User Shell in Linux
  4. How to Block or Disable User Logins in Linux

In this article, we’ve explained various ways to find information about users and login details on a Linux system. You can ask any questions or share your thoughts via the feedback form below.

How to Query Audit Logs Using ‘ausearch’ Tool on CentOS/RHEL

In our last article, we have explained how to audit RHEL or CentOS system using auditd utility. The audit system (auditd) is a comprehensive logging system and doesn’t use syslog for that matter. It also comes with a tool-set for managing the kernel audit system as well as searching and producing reports from information in the log files.

In this tutorial, we will explain how use ausearch tool to retrieve data from auditd log files on a RHEL and CentOS based Linux distributions.

Read Also: 4 Good Open Source Log Monitoring and Management Tools for Linux

As we mentioned earlier on, the auditing system has a user-space audit daemon (auditd) which gathers security-related information based on pre-configured rules, from the kernel and generates entries in a log file.

What is ausearch?


ausearch is a simple command line tool used to search the audit daemon log files based on events and different search criteria such as event identifier, key identifier, CPU architecture, command name, hostname, group name or group ID, syscall, messages and beyond. It also accepts raw data from stdin.

By default, ausearch queries the /var/log/audit/audit.log file, which you can view just like any other text file.

# cat /var/log/audit/audit.log
OR
# cat /var/log/audit/audit.log | less

View Auditd Log Files

View Auditd Log Files

From the screenshot above, you can see lots of data from the log file making it difficult to get specific information of interest.

Therefore you need ausearch, which enables searching of information in a more powerful and efficient way using the following syntax.

# ausearch [options]

Check Running Process Logs in Auditd Log File

The -p flag is used to pass a process ID.

# ausearch -p 2317

Check Linux Process Logs

Check Linux Process Logs

Check Failed Login Attempts in Auditd Log File

Here, you need to use the -m option to identify specific messages and -sv to define the success value.

# ausearch -m USER_LOGIN -sv no 

Find Failed Login Attempts in Logs

Find Failed Login Attempts in Logs

Find User Activity in Auditd Log File

The -ua is used to pass a username.

# ausearch -ua tecmint
OR
# ausearch -ua tecmint -i # enable interpreting of numeric entities into text.

Find User Activity in Linux

Find User Activity in Linux

To query actions performed by a certain user from a given period of time, use the -ts for start date/time and -te for specifying end date/time as follows (note that you can use words such as now, recent, today, yesterday, this-week, week-ago, this-month, this-year as well as checkpoint instead of actual time formats).

# ausearch -ua tecmint -ts yesterday -te now -i 

Find User Activity in Specific Time

Find User Activity in Specific Time

More examples on searching for actions by a given user on the system.

# ausearch -ua 1000 -ts this-week -i
# ausearch -ua tecmint -m USER_LOGIN -sv no -i

Find Modifications to User Accounts, Groups and Roles in Auditd Logs

If you want to review all system changes to do with user accounts, groups and roles; specify various comma separated messages types as in the command below (take care of the comma separated list, leave no space between a comma and the next item):

# ausearch -m ADD_USER,DEL_USER,USER_CHAUTHTOK,ADD_GROUP,DEL_GROUP,CHGRP_ID,ROLE_ASSIGN,ROLE_REMOVE -i

Check for Linux System Changes

Check for Linux System Changes

Search Auditd Log File Using Key Value

Consider the audit rule below which will log any attempts to access or modify the /etc/passwd user accounts database.

# auditctl -w /etc/passwd -p rwa -k passwd_changes

Now, try to open the above file for editing and close it, as follows.

# vi /etc/passwd

Just because you know that a log entry has been recorded about this, you would possibly view the last parts of the log file with the tail command as follows:

# tail /var/log/audit/audit.log

What if several other events have been recently recorded, finding the specific information would be so difficult, but using ausearch, you can pass the -k flag with the key value you specified in the audit rule to view all log messages concerning events to do with accessing or modifying /etc/passwd file.

This will also display the configuration changes made-defining of the audit rules.

# ausearch -k passwd_changes | less

Check System Users Password Changes

Check System Users Password Changes

For more information and usage options, read the ausearch man page:

# man ausearch

To know more about Linux system auditing and log management, read these following related articles.

  1. Petiti – An Open Source Log Analysis Tool for Linux SysAdmins
  2. Monitor Server Logs in Real-Time with “Log.io” Tool on RHEL/CentOS 7/6
  3. How to Setup and Manage Log Rotation Using Logrotate in Linux
  4. lnav – Watch and Analyze Apache Logs from a Linux Terminal

In this tutorial, we described how to use ausearch to retrieve data from an auditd log file on RHEL and CentOS. If you have any questions or thoughts to share, use the comment section to reach us.

In our next article, we’ll explain how to create reports from audit log files using aureport in RHEL/CentOS/Fedora.

Learn Linux System Auditing with Auditd Tool on CentOS/RHEL

System auditing simply refers to in-depth analysis of a specific targeted system: an audit is made up of an examination of the various parts which comprise that system, with critical assessment (and testing if required) in different areas of interest.

Read Also: Lynis – Security Auditing and Scanning Tool for Linux Systems

One of the critical subsystems on RHEL/CentOS the Linux audit system commonly known as auditd. It implements a means to track security-relevant information on a system: it uses pre-configured rules to collect vast amounts of information about events that are happening on the system, and records them in a log file, thus creating an audit trial.

It can record information such as date and time, type, and result of an event; users who caused the event, any modifications made to files/databases; uses of system authentication mechanisms, such as PAM, LDAP, SSH, and others.


Auditd also registers any changes made to the audit configuration files or any attempts to access audit log files, and any efforts to import or export information into or from the system plus a lot of other security-related information.

Why is the Linux Audit System Important?

  1. It doesn’t require any external programs or processes to run on a system making it self-reliant.
  2. It is highly configurable therefore enables you to view any system operation(s) you want.
  3. It helps in detecting or analyzing potential compromises of a system.
  4. It is capable of working as an independent detection system.
  5. It can work with Intrusion Detection Systems to enable intrusion detection.
  6. It is a vital tool for auditing forensics investigations.

The Linux Audit System Components

The audit system has two core components, namely:

  • user-space applications and utilities/tools, and
  • kernel-side system call processing – this accepts system calls from user-space applications and passes them through three types of filters, namely: user, task, exit, or exclude.

The most important part is the user-space audit daemon (auditd) which gathers information based on pre-configured rules, from the kernel and generates entries in a log file: the default log is /var/log/audit/audit.log.

Additionally, the audispd (audit dispatcher daemon) is an event multiplexor that interacts with auditd and sends events to other programs that want to perform real time event processing.

There are a number of user-space tools for managing and retrieving information from the audit system:

  • auditctl – a utility for controlling the kernel’s audit system.
  • ausearch – a utility for searching audit log files for specific events.
  • aureport – a utility for creating reports of recorded events.

How to Install and Configure Audit Tool in RHEL/CentOS/Fedora

First make sure to verify that the audit tool is installed on your system using the rpm command and grep utility as follows:

# rpm -qa | grep audit

Check Auditd Tool

Check Auditd Tool

If you do not have the above packages installed, run this command as the root user to install them.

# yum install audit

Next, check if auditd is enabled and running, issue the systemctl commands below on the terminal.

--------------- On CentOS/RHEL 7 --------------- # systemctl is-enabled auditd
# systemctl status auditd
# systemctl start auditd [Start]
# systemctl enable auditd [Enable]
--------------- On CentOS/RHEL 6 --------------- # service auditd status
# service auditd start [Start]
# chkconfig auditd on [Enable]

Check Status of Auditd Tool

Check Status of Auditd Tool

Now we will see how to configure auditd using the main configuration file /etc/audit/auditd.conf. The parameters here allow you to control how the service runs, such as defining the location of the log file, maximum number of log files, log format, how to deal with full disks, log rotation and many more options.

# vi /etc/audit/auditd.conf

From the sample output below, the parameters are self-explanatory.

Auditd Configuration File

Auditd Configuration File

Understanding Audit Rules

As we mentioned earlier on, auditd uses rules to gather specific information from the kernel. These rules are basically auditctl options (see man page) that you can pre-configure rules in the /etc/audit/rules.d/audit.rules file (On CentOS 6, use the /etc/audit/audit.rules file), so that they are loaded at startup.

There are three kinds of audit rules you can define:

  • Control rules – these enable modification of the audit system’s behavior and a few of its configurations.
  • File system rules (also referred to as file watches) – enable auditing of access to a certain file or a directory.
  • System call rules – permits logging of system calls made by any program.

Now open the main configuration file for editing:

# vi /etc/audit/rules.d/audit.rules

Note that the first section of this file must contain control rules. Then add your audit rules (file watches and system call rules) in the middle section, and finally the last section contains immutability settings which are also control rules.

Examples of Auditd Control Rules

-D #removes all previous rules
-b 3074 #define buffer size
-f 4 #panic on failure -r 120 #create at most 120 audit messages per second

Examples of Auditd File System Rules

You can define file watches using this syntax:

-w /path/to/file/or/directory -p permissions -k key_name

Where the option:

  • w – is used to specify a file or directory to watch over.
  • p – permissions to be logged, r – for read access, w – for write access, x – for execute access and a – for change of file or director attribute.
  • -k – allows you to set an optional string for identifying which rule (or a set of rules) created a specific log entry.

These rules allow auditing to watch events making changes to these critical system files.

-w /etc/passwd -p wa -k passwd_changes
-w /etc/group -p wa -k group_changes
-w /etc/shadow -p wa -k shadow_changes
-w /etc/sudoers -p wa -k sudoers_changes

Examples of Auditd System Call Rules

You can set a system call rule using the form below:

-a action,filter -S system_call -F field=value -k key_name

where:

  • action – has two possible values: always or never.
  • filter – specifies kernel rule-matching filter (task, exit, user and exclude) is applied to the event.
  • system call – system call name.
  • field – specifies additional options such as architecture, PID, GID etc to modify rule.

Here are some rules you can define.

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time_change
-a always,exit -S sethostname -S setdomainname -k system_locale

Then lastly add the immutability settings at the end of the file, for example:

-e 1 #enable auditing
-e 2 #make the configuration immutable -- reboot is required to change audit rules
Sample Auditd Rules Configuration File

Auditd Rules Configuration File

Auditd Rules Configuration File

How to Set Auditd Rules Using auditctl Utility

Alternatively, send the options to auditd while it’s running, using the auditctl as in the following examples. These commands can override rules in the configuration file.

To list all currently loaded audit rules, pass the -l flag:

# auditctl -l

Next, try to add a few rules:

# auditctl -w /etc/passwd -p wa -k passwd_changes
# auditctl -w /etc/group -p wa -k group_changes
# auditctl -w /etc/sudoers -p wa -k sudoers_changes
# auditctl -l

Add Auditd Rules Using Auditctl

Add Auditd Rules Using Auditctl

Understanding Auditd Log Files

All audit messages are recorded in /var/log/audit/audit.log file by default. To understand the log entry format, we’ll load a rule and check the log entry generated after an event matching the rule.

Assuming we have a secret backups directory, this audit rule will log any attempts to access or modify this directory:

# auditctl -w /backups/secret_files/ -p rwa -k secret_backup

Now, using another system account, try to move into the directory above and run the ls command:

$ cd /backups/secret_files/
$ ls

The log entry will look like so.

Check Audit Logs for Changes

Check Audit Logs for Changes

The above event is made up of three types of audit records. The first is type=SYSCALL:

type=SYSCALL msg=audit(1505784331.849:444): arch=c000003e syscall=257 success=yes exit=3 a0=ffffffffffffff9c a1=8ad5c0 a2=90800 a3=0 items=1 ppid=2191 pid=2680 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=3 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="secret_backup"

The second is type=CWD.

type=CWD msg=audit(1505784331.849:444): cwd="/backups/secret_files"

And the last one is type=PATH:

type=PATH msg=audit(1505784331.849:444): item=0 name="." inode=261635 dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0 objtype=NORMAL

You can find a complete list of all the event fields (such as msg, arch, ses etc..) and their meanings in the Audit System Reference.

That’s all for now. In the next article, we will look at how to use ausearch to query audit log files: we will explain how to search for specific information from the audit logs. If you have any questions, please reach us via the comment section below.