Lab9 Solution Amirlan Sharipov (BS21-CS-01)

Table of Contents

1. Question 1

I would use rsyslog and journald. Forward them to ELK stack and use it as a SIEM. There are many people people familiar with the ELK stack, and it’s easy to scale it.

2. Question 2

> sudo cat /etc/rsyslog.d/auth-errors.conf auth.alert,authpriv.alert /var/log/auth-errors

rsyslogpriority

3. Question 3

cat /etc/logrotate.d/httpd

/var/log/httpd/*log {
   rotate 10
   compress
   missingok
   sharedscripts
   postrotate
      /usr/bin/systemctl reload httpd.service 2>/dev/null || true
   endscript
}

’* */6 * * * logrotate /etc/logrotate.d/httpd

logrotate

4. Question 4

5. Question 5

in /etc/bashrc:

export PROMPT_COMMAND=’RETRN_VAL=\(?;logger -p local6.debug "\)(whoami) [$$]: $(history 1 | sed “s/^[ ]*[0-9]\+[ ]*//” )“’

in /etc/rsyslog.d/bash.conf local6.* /var/log/commands.log

Taken from https://unix.stackexchange.com/questions/664581/how-do-i-log-all-commands-executed-by-all-users

Author: Amirlan Sharipov (BS21-CS-01)

Created: 2023-04-14 Fri 00:00