Quick Tutorial: Linux Logging for Hackers
Logging is one of the critical aspects of security. The system is logging information about errors and security alerts. As a security researcher, you should know what fingerprints and logging information you leave after you accessed the target. This article covers basic information related to what information is gathered by the Linux system while you browse. Also, how hackers can manage and delete footsteps of access on the system by configuring files responsible for logging.
What information is logged
Linux systems come with a decent amount of log capability. Linux logs everything about user actions. Also, kernel events are also logged. In other words, if you have configured logs correctly, you can easily diagnose what actions are performed on the servers.
rsyslog
rsyslog is the default logging service available on most Linux distributions. This allows an administrator to configure logging details of different services and related information. rsyslog, syslog-ng, syslog, etc. are the different names used by different Linux distributions. For example, Kali Linux has rsyslog by default.
You can search the location of rsyslog by using locate command:
locate rsyslog
As a security guy, you should be more interested in the configuration file of rsyslog. You can use any editor command to see the content of a file, I have used nano command here:
nano /etc/rsyslog.conf
If you browse down, you are able to see rules for the logged information. This simply tells what information is logged and what is not.
/var/log
This path corresponding special directory contains all logs including OS, applications, and services.
How to manage Logs for space
You can set up a policy to delete log files periodically or whenever space is less. This can be done by using logrotate utility. Locate logrotate by using locate utility:
locate logrotate
You can edit or manage log rotation by using the below command:
nano /etc/logrotate.conf
How to disable Logging
An attacker may remove tracks by simply disabling the Logging of the Linux system.
service rsyslog stop
Although, you can again start it by using the below command:
service rsyslog start
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.