rinri
/
system-and-network-administration-course
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1 Commit
1 Branch
1.6 MiB
 
 
 
Tree: 89edcc5866
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '89edcc5866'
${ noResults }
system-and-network-administ.../week10/lab10.html

473 lines
51 KiB
Raw Blame History 

  1. <!DOCTYPE html>

  2. 

  3. <html lang="en">

  4. 

  5. <head>

  6.     <meta charset="utf-8">

  7.     <meta http-equiv="X-UA-Compatible" content="IE=edge">

  8.     <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=no">

  9.     <meta name="apple-mobile-web-app-capable" content="yes">

  10.     <meta name="apple-mobile-web-app-status-bar-style" content="black">

  11.     <meta name="mobile-web-app-capable" content="yes">

  12.     <title>

  13.         Lab 10: Logging and auditing - HackMD

  14.     </title>

  15.     <link rel="icon" type="image/png" href="https://hackmd.io/favicon.png">

  16.     <link rel="apple-touch-icon" href="https://hackmd.io/apple-touch-icon.png">

  17. 

  18.     <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha256-916EbMg70RQy9LHiGkXzG8hSg9EdNy97GazNG/aiY1w=" crossorigin="anonymous" />

  19.     <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css" integrity="sha256-eZrrJcwDc/3uDhsdt61sL2oOBY362qM3lon1gyExkL0=" crossorigin="anonymous" />

  20.     <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/ionicons/2.0.1/css/ionicons.min.css" integrity="sha256-3iu9jgsy9TpTwXKb7bNQzqWekRX7pPK+2OLj3R922fo=" crossorigin="anonymous" />

  21.     <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/octicons/3.5.0/octicons.min.css" integrity="sha256-QiWfLIsCT02Sdwkogf6YMiQlj4NE84MKkzEMkZnMGdg=" crossorigin="anonymous" />

  22.     <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/prism/1.5.1/themes/prism.min.css" integrity="sha256-vtR0hSWRc3Tb26iuN2oZHt3KRUomwTufNIf5/4oeCyg=" crossorigin="anonymous" />

  23.     <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@hackmd/emojify.js@2.1.0/dist/css/basic/emojify.min.css" integrity="sha256-UOrvMOsSDSrW6szVLe8ZDZezBxh5IoIfgTwdNDgTjiU=" crossorigin="anonymous" />

  24.     <style>

  25.         @import url(https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,500,500i|Source+Code+Pro:300,400,500|Source+Sans+Pro:300,300i,400,400i,600,600i|Source+Serif+Pro&subset=latin-ext);.hljs{background:#fff;color:#333;display:block;overflow-x:auto;padding:.5em}.hljs-comment,.hljs-meta{color:#969896}.hljs-emphasis,.hljs-quote,.hljs-string,.hljs-strong,.hljs-template-variable,.hljs-variable{color:#df5000}.hljs-keyword,.hljs-selector-tag,.hljs-type{color:#a71d5d}.hljs-attribute,.hljs-bullet,.hljs-literal,.hljs-number,.hljs-symbol{color:#0086b3}.hljs-built_in,.hljs-builtin-name{color:#005cc5}.hljs-name,.hljs-section{color:#63a35c}.hljs-tag{color:#333}.hljs-attr,.hljs-selector-attr,.hljs-selector-class,.hljs-selector-id,.hljs-selector-pseudo,.hljs-title{color:#795da3}.hljs-addition{background-color:#eaffea;color:#55a532}.hljs-deletion{background-color:#ffecec;color:#bd2c00}.hljs-link{text-decoration:underline}.markdown-body{word-wrap:break-word;font-size:16px;line-height:1.5}.markdown-body:after,.markdown-body:before{content:"";display:table}.markdown-body:after{clear:both}.markdown-body>:first-child{margin-top:0!important}.markdown-body>:last-child{margin-bottom:0!important}.markdown-body a:not([href]){color:inherit;text-decoration:none}.markdown-body .absent{color:#c00}.markdown-body .anchor{float:left;line-height:1;margin-left:-20px;padding-right:4px}.markdown-body .anchor:focus{outline:none}.markdown-body blockquote,.markdown-body dl,.markdown-body ol,.markdown-body p,.markdown-body pre,.markdown-body table,.markdown-body ul{margin-bottom:16px;margin-top:0}.markdown-body hr{background-color:#e7e7e7;border:0;height:.25em;margin:24px 0;padding:0}.markdown-body blockquote{border-left:.25em solid #ddd;color:#777;font-size:16px;padding:0 1em}.markdown-body blockquote>:first-child{margin-top:0}.markdown-body blockquote>:last-child{margin-bottom:0}.markdown-body kbd,.popover kbd{background-color:#fcfcfc;border:1px solid;border-color:#ccc #ccc #bbb;border-radius:3px;box-shadow:inset 0 -1px 0 #bbb;color:#555;display:inline-block;font-size:11px;line-height:10px;padding:3px 5px;vertical-align:middle}.markdown-body .loweralpha{list-style-type:lower-alpha}.markdown-body h1,.markdown-body h2,.markdown-body h3,.markdown-body h4,.markdown-body h5,.markdown-body h6{font-weight:600;line-height:1.25;margin-bottom:16px;margin-top:24px}.markdown-body h1 .octicon-link,.markdown-body h2 .octicon-link,.markdown-body h3 .octicon-link,.markdown-body h4 .octicon-link,.markdown-body h5 .octicon-link,.markdown-body h6 .octicon-link{color:#000;vertical-align:middle;visibility:hidden}.markdown-body h1:hover .anchor,.markdown-body h2:hover .anchor,.markdown-body h3:hover .anchor,.markdown-body h4:hover .anchor,.markdown-body h5:hover .anchor,.markdown-body h6:hover .anchor{text-decoration:none}.markdown-body h1:hover .anchor .octicon-link,.markdown-body h2:hover .anchor .octicon-link,.markdown-body h3:hover .anchor .octicon-link,.markdown-body h4:hover .anchor .octicon-link,.markdown-body h5:hover .anchor .octicon-link,.markdown-body h6:hover .anchor .octicon-link{visibility:visible}.markdown-body h1 code,.markdown-body h1 tt,.markdown-body h2 code,.markdown-body h2 tt,.markdown-body h3 code,.markdown-body h3 tt,.markdown-body h4 code,.markdown-body h4 tt,.markdown-body h5 code,.markdown-body h5 tt,.markdown-body h6 code,.markdown-body h6 tt{font-size:inherit}.markdown-body h1{font-size:2em}.markdown-body h1,.markdown-body h2{border-bottom:1px solid #eee;padding-bottom:.3em}.markdown-body h2{font-size:1.5em}.markdown-body h3{font-size:1.25em}.markdown-body h4{font-size:1em}.markdown-body h5{font-size:.875em}.markdown-body h6{color:#777;font-size:.85em}.markdown-body ol,.markdown-body ul{padding-left:2em}.markdown-body ol.no-list,.markdown-body ul.no-list{list-style-type:none;padding:0}.markdown-body ol ol,.markdown-body ol ul,.markdown-body ul ol,.markdown-body ul ul{margin-bottom:0;margin-top:0}.markdown-body li>p{margin-top:16px}.markdown-body li+li{padding-top:.25em}.markdown-body dl{padding:0}.markdown-body dl dt{font-size:1em;font-style:italic;font-weight:700;margin-top:16px;padding:0}.markdown-body dl dd{margin-bottom:16px;padding:0 16px}.markdown-body table{display:block;overflow:auto;width:100%;word-break:normal;word-break:keep-all}.markdown-body table th{font-weight:700}.markdown-body table td,.markdown-body table th{border:1px solid #ddd;padding:6px 13px}.markdown-body table tr{background-color:#fff;border-top:1px solid #ccc}.markdown-body table tr:nth-child(2n){background-color:#f8f8f8}.markdown-body img{background-color:#fff;box-sizing:initial;max-width:100%}.markdown-body img[align=right]{padding-left:20px}.markdown-body img[align=left]{padding-right:20px}.markdown-body .emoji{background-color:initial;max-width:none;vertical-align:text-top}.markdown-body span.frame{display:block;overflow:hidden}.markdown-body span.frame>span{border:1px solid #ddd;display:block;float:left;margin:13px 0 0;overflow:hidden;padding:7px;width:auto}.markdown-body span.frame span img{display:block;float:left}.markdown-body span.frame span span{clear:both;color:#333;display:block;padding:5px 0 0}.markdown-body span.align-center{clear:both;display:block;overflow:hidden}.markdown-body span.align-center>span{display:block;margin:13px auto 0;overflow:hidden;text-align:center}.markdown-body span.align-center span img{margin:0 auto;text-align:center}.markdown-body span.align-right{clear:both;display:block;overflow:hidden}.markdown-body span.align-right>span{display:block;margin:13px 0 0;overflow:hidden;text-align:right}.markdown-body span.align-right span img{margin:0;text-align:right}.markdown-body span.float-left{display:block;float:left;margin-right:13px;overflow:hidden}.markdown-body span.float-left span{margin:13px 0 0}.markdown-body span.float-right{display:block;float:right;margin-left:13px;overflow:hidden}.markdown-body span.float-right>span{display:block;margin:13px auto 0;overflow:hidden;text-align:right}.markdown-body code,.markdown-body tt{background-color:#0000000a;border-radius:3px;font-size:85%;margin:0;padding:.2em 0}.markdown-body code:after,.markdown-body code:before,.markdown-body tt:after,.markdown-body tt:before{content:"\00a0";letter-spacing:-.2em}.markdown-body code br,.markdown-body tt br{display:none}.markdown-body del code{text-decoration:inherit}.markdown-body pre{word-wrap:normal}.markdown-body pre>code{background:#0000;border:0;font-size:100%;margin:0;padding:0;white-space:pre;word-break:normal}.markdown-body .highlight{margin-bottom:16px}.markdown-body .highlight pre{margin-bottom:0;word-break:normal}.markdown-body .highlight pre,.markdown-body pre{background-color:#f7f7f7;border-radius:3px;font-size:85%;line-height:1.45;overflow:auto;padding:16px}.markdown-body pre code,.markdown-body pre tt{word-wrap:normal;background-color:initial;border:0;display:inline;line-height:inherit;margin:0;max-width:auto;overflow:visible;padding:0}.markdown-body pre code:after,.markdown-body pre code:before,.markdown-body pre tt:after,.markdown-body pre tt:before{content:normal}.markdown-body .csv-data td,.markdown-body .csv-data th{font-size:12px;line-height:1;overflow:hidden;padding:5px;text-align:left;white-space:nowrap}.markdown-body .csv-data .blob-line-num{background:#fff;border:0;padding:10px 8px 9px;text-align:right}.markdown-body .csv-data tr{border-top:0}.markdown-body .csv-data th{background:#f8f8f8;border-top:0;font-weight:700}.news .alert .markdown-body blockquote{border:0;padding:0 0 0 40px}.activity-tab .news .alert .commits,.activity-tab .news .markdown-body blockquote{padding-left:0}.task-list-item{list-style-type:none}.task-list-item label{font-weight:400}.task-list-item.enabled label{cursor:pointer}.task-list-item+.task-list-item{margin-top:3px}.task-list-item-checkbox{cursor:default!important;float:left;margin:.31em 0 .2em -1.3em!important;vertical-align:middle}.markdown-body{max-width:758px;overflow:visible!important;padding-bottom:40px;padding-top:40px;position:relative}.markdown-body .emoji{vertical-align:top}.markdown-body pre{border:inherit!important}.markdown-body code{color:inherit!important}.markdown-body pre code .wrapper{display:-moz-inline-flex;display:-ms-inline-flex;display:-o-inline-flex;display:inline-flex}.markdown-body pre code .gutter{float:left;overflow:hidden;-webkit-user-select:none;user-select:none}.markdown-body pre code .gutter.linenumber{border-right:3px solid #6ce26c!important;box-sizing:initial;color:#afafaf!important;cursor:default;display:inline-block;min-width:20px;padding:0 8px 0 0;position:relative;text-align:right;z-index:4}.markdown-body pre code .gutter.linenumber>span:before{content:attr(data-linenumber)}.markdown-body pre code .code{float:left;margin:0 0 0 16px}.markdown-body .gist .line-numbers{border-bottom:none;border-left:none;border-top:none}.markdown-body .gist .line-data{border:none}.markdown-body .gist table{border-collapse:inherit!important;border-spacing:0}.markdown-body code[data-gist-id]{background:none;padding:0}.markdown-body code[data-gist-id]:after,.markdown-body code[data-gist-id]:before{content:""}.markdown-body code[data-gist-id] .blob-num{border:unset}.markdown-body code[data-gist-id] table{margin-bottom:unset;overflow:unset}.markdown-body code[data-gist-id] table tr{background:unset}.markdown-body[dir=rtl] pre{direction:ltr}.markdown-body[dir=rtl] code{direction:ltr;unicode-bidi:embed}.markdown-body .alert>p:last-child{margin-bottom:0}.markdown-body pre.abc,.markdown-body pre.flow-chart,.markdown-body pre.graphviz,.markdown-body pre.mermaid,.markdown-body pre.sequence-diagram,.markdown-body pre.vega{background-color:inherit;border-radius:0;overflow:visible;text-align:center;white-space:inherit}.markdown-body pre.abc>code,.markdown-body pre.flow-chart>code,.markdown-body pre.graphviz>code,.markdown-body pre.mermaid>code,.markdown-body pre.sequence-diagram>code,.markdown-body pre.vega>code{text-align:left}.markdown-body pre.abc>svg,.markdown-body pre.flow-chart>svg,.markdown-body pre.graphviz>svg,.markdown-body pre.mermaid>svg,.markdown-body pre.sequence-diagram>svg,.markdown-body pre.vega>svg{height:100%;max-width:100%}.markdown-body pre>code.wrap{word-wrap:break-word;white-space:pre-wrap;white-space:-moz-pre-wrap;white-space:-pre-wrap;white-space:-o-pre-wrap}.markdown-body .alert>p:last-child,.markdown-body .alert>ul:last-child{margin-bottom:0}.markdown-body summary{display:list-item}.markdown-body summary:focus{outline:none}.markdown-body details summary{cursor:pointer}.markdown-body details:not([open])>:not(summary){display:none}.markdown-body figure{margin:1em 40px}.markdown-body .mark,.markdown-body mark{background-color:#fff1a7}.vimeo,.youtube{background-color:#000;background-position:50%;background-repeat:no-repeat;background-size:contain;cursor:pointer;display:table;overflow:hidden;text-align:center}.vimeo,.youtube{position:relative;width:100%}.youtube{padding-bottom:56.25%}.vimeo img{object-fit:contain;width:100%;z-index:0}.youtube img{object-fit:cover;z-index:0}.vimeo iframe,.youtube iframe,.youtube img{height:100%;left:0;position:absolute;top:0;width:100%}.vimeo iframe,.youtube iframe{vertical-align:middle;z-index:1}.vimeo .icon,.youtube .icon{color:#fff;height:auto;left:50%;opacity:.3;position:absolute;top:50%;transform:translate(-50%,-50%);transition:opacity .2s;width:auto;z-index:0}.vimeo:hover .icon,.youtube:hover .icon{opacity:.6;transition:opacity .2s}.slideshare .inner,.speakerdeck .inner{position:relative;width:100%}.slideshare .inner iframe,.speakerdeck .inner iframe{bottom:0;height:100%;left:0;position:absolute;right:0;top:0;width:100%}.figma{display:table;padding-bottom:56.25%;position:relative;width:100%}.figma iframe{border:1px solid #eee;bottom:0;height:100%;left:0;position:absolute;right:0;top:0;width:100%}.markmap-container{height:300px}.markmap-container>svg{height:100%;width:100%}.MJX_Assistive_MathML{display:none}#MathJax_Message{z-index:1000!important}.ui-infobar{color:#777;margin:25px auto -25px;max-width:760px;position:relative;z-index:2}.toc .invisable-node{list-style-type:none}.ui-toc{bottom:20px;position:fixed;z-index:998}.ui-toc.both-mode{margin-left:8px}.ui-toc.both-mode .ui-toc-label{border-bottom-left-radius:0;border-top-left-radius:0;height:40px;padding:10px 4px}.ui-toc-label{background-color:#e6e6e6;border:none;color:#868686;transition:opacity .2s}.ui-toc .open .ui-toc-label{color:#fff;opacity:1;transition:opacity .2s}.ui-toc-label:focus{background-color:#ccc;color:#000;opacity:.3}.ui-toc-label:hover{background-color:#ccc;opacity:1;transition:opacity .2s}.ui-toc-dropdown{margin-bottom:20px;margin-top:20px;max-height:70vh;max-width:45vw;overflow:auto;padding-left:10px;padding-right:10px;text-align:inherit;width:25vw}.ui-toc-dropdown>.toc{max-height:calc(70vh - 100px);overflow:auto}.ui-toc-dropdown[dir=rtl] .nav{letter-spacing:.0029em;padding-right:0}.ui-toc-dropdown a{overflow:hidden;text-overflow:ellipsis;white-space:pre}.ui-toc-dropdown .nav>li>a{color:#767676;display:block;font-size:13px;font-weight:500;padding:4px 20px}.ui-toc-dropdown .nav>li:first-child:last-child>ul,.ui-toc-dropdown .toc.expand ul{display:block}.ui-toc-dropdown .nav>li>a:focus,.ui-toc-dropdown .nav>li>a:hover{background-color:initial;border-left:1px solid #000;color:#000;padding-left:19px;text-decoration:none}.ui-toc-dropdown[dir=rtl] .nav>li>a:focus,.ui-toc-dropdown[dir=rtl] .nav>li>a:hover{border-left:none;border-right:1px solid #000;padding-right:19px}.ui-toc-dropdown .nav>.active:focus>a,.ui-toc-dropdown .nav>.active:hover>a,.ui-toc-dropdown .nav>.active>a{background-color:initial;border-left:2px solid #000;color:#000;font-weight:700;padding-left:18px}.ui-toc-dropdown[dir=rtl] .nav>.active:focus>a,.ui-toc-dropdown[dir=rtl] .nav>.active:hover>a,.ui-toc-dropdown[dir=rtl] .nav>.active>a{border-left:none;border-right:2px solid #000;padding-right:18px}.ui-toc-dropdown .nav .nav{display:none;padding-bottom:10px}.ui-toc-dropdown .nav>.active>ul{display:block}.ui-toc-dropdown .nav .nav>li>a{font-size:12px;font-weight:400;padding-bottom:1px;padding-left:30px;padding-top:1px}.ui-toc-dropdown[dir=rtl] .nav .nav>li>a{padding-right:30px}.ui-toc-dropdown .nav .nav>li>ul>li>a{font-size:12px;font-weight:400;padding-bottom:1px;padding-left:40px;padding-top:1px}.ui-toc-dropdown[dir=rtl] .nav .nav>li>ul>li>a{padding-right:40px}.ui-toc-dropdown .nav .nav>li>a:focus,.ui-toc-dropdown .nav .nav>li>a:hover{padding-left:29px}.ui-toc-dropdown[dir=rtl] .nav .nav>li>a:focus,.ui-toc-dropdown[dir=rtl] .nav .nav>li>a:hover{padding-right:29px}.ui-toc-dropdown .nav .nav>li>ul>li>a:focus,.ui-toc-dropdown .nav .nav>li>ul>li>a:hover{padding-left:39px}.ui-toc-dropdown[dir=rtl] .nav .nav>li>ul>li>a:focus,.ui-toc-dropdown[dir=rtl] .nav .nav>li>ul>li>a:hover{padding-right:39px}.ui-toc-dropdown .nav .nav>.active:focus>a,.ui-toc-dropdown .nav .nav>.active:hover>a,.ui-toc-dropdown .nav .nav>.active>a{font-weight:500;padding-left:28px}.ui-toc-dropdown[dir=rtl] .nav .nav>.active:focus>a,.ui-toc-dropdown[dir=rtl] .nav .nav>.active:hover>a,.ui-toc-dropdown[dir=rtl] .nav .nav>.active>a{padding-right:28px}.ui-toc-dropdown .nav .nav>.active>.nav>.active:focus>a,.ui-toc-dropdown .nav .nav>.active>.nav>.active:hover>a,.ui-toc-dropdown .nav .nav>.active>.nav>.active>a{font-weight:500;padding-left:38px}.ui-toc-dropdown[dir=rtl] .nav .nav>.active>.nav>.active:focus>a,.ui-toc-dropdown[dir=rtl] .nav .nav>.active>.nav>.active:hover>a,.ui-toc-dropdown[dir=rtl] .nav .nav>.active>.nav>.active>a{padding-right:38px}.markdown-body{font-family:-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica Neue,Helvetica,Roboto,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol}html[lang^=ja] .markdown-body{font-family:-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica Neue,Helvetica,Roboto,Arial,Hiragino Kaku Gothic Pro,ヒラギノ角ゴ Pro W3,Osaka,Meiryo,メイリオ,MS Gothic,MS ゴシック,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol}html[lang=zh-tw] .markdown-body{font-family:-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica Neue,Helvetica,Roboto,Arial,PingFang TC,Microsoft JhengHei,微軟正黑,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol}html[lang=zh-cn] .markdown-body{font-family:-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica Neue,Helvetica,Roboto,Arial,PingFang SC,Microsoft YaHei,微软雅黑,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol}html .markdown-body[lang^=ja]{font-family:-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica Neue,Helvetica,Roboto,Arial,Hiragino Kaku Gothic Pro,ヒラギノ角ゴ Pro W3,Osaka,Meiryo,メイリオ,MS Gothic,MS ゴシック,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol}html .markdown-body[lang=zh-tw]{font-family:-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica Neue,Helvetica,Roboto,Arial,PingFang TC,Microsoft JhengHei,微軟正黑,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol}html .markdown-body[lang=zh-cn]{font-family:-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica Neue,Helvetica,Roboto,Arial,PingFang SC,Microsoft YaHei,微软雅黑,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol}html[lang^=ja] .ui-toc-dropdown{font-family:Source Sans Pro,Helvetica,Arial,Meiryo UI,MS PGothic,MS Pゴシック,sans-serif}html[lang=zh-tw] .ui-toc-dropdown{font-family:Source Sans Pro,Helvetica,Arial,Microsoft JhengHei UI,微軟正黑UI,sans-serif}html[lang=zh-cn] .ui-toc-dropdown{font-family:Source Sans Pro,Helvetica,Arial,Microsoft YaHei UI,微软雅黑UI,sans-serif}html .ui-toc-dropdown[lang^=ja]{font-family:Source Sans Pro,Helvetica,Arial,Meiryo UI,MS PGothic,MS Pゴシック,sans-serif}html .ui-toc-dropdown[lang=zh-tw]{font-family:Source Sans Pro,Helvetica,Arial,Microsoft JhengHei UI,微軟正黑UI,sans-serif}html .ui-toc-dropdown[lang=zh-cn]{font-family:Source Sans Pro,Helvetica,Arial,Microsoft YaHei UI,微软雅黑UI,sans-serif}.ui-affix-toc{max-height:70vh;max-width:15vw;overflow:auto;position:fixed;top:0}.back-to-top,.expand-toggle,.go-to-bottom{color:#999;display:block;font-size:12px;font-weight:500;margin-left:10px;margin-top:10px;padding:4px 10px}.back-to-top:focus,.back-to-top:hover,.expand-toggle:focus,.expand-toggle:hover,.go-to-bottom:focus,.go-to-bottom:hover{color:#563d7c;text-decoration:none}.back-to-top,.go-to-bottom{margin-top:0}.ui-user-icon{background-position:50%;background-repeat:no-repeat;background-size:cover;border-radius:50%;display:block;height:20px;margin-bottom:2px;margin-right:5px;margin-top:2px;width:20px}.ui-user-icon.small{display:inline-block;height:18px;margin:0 0 .2em;vertical-align:middle;width:18px}.ui-infobar>small>span{line-height:22px}.ui-infobar>small .dropdown{display:inline-block}.ui-infobar>small .dropdown a:focus,.ui-infobar>small .dropdown a:hover{text-decoration:none}.ui-more-info{color:#888;cursor:pointer;vertical-align:middle}.ui-more-info .fa{font-size:16px}.ui-connectedGithub,.ui-published-note{color:#888}.ui-connectedGithub{line-height:23px;white-space:nowrap}.ui-connectedGithub a.file-path{color:#888;padding-left:22px;text-decoration:none}.ui-connectedGithub a.file-path:active,.ui-connectedGithub a.file-path:hover{color:#888;text-decoration:underline}.ui-connectedGithub .fa{font-size:20px}.ui-published-note .fa{font-size:20px;vertical-align:top}.unselectable{-webkit-user-select:none;-o-user-select:none;user-select:none}.selectable{-webkit-user-select:text;-o-user-select:text;user-select:text}.inline-spoiler-section{cursor:pointer}.inline-spoiler-section .spoiler-text{background-color:#333;border-radius:2px}.inline-spoiler-section .spoiler-text>*{opacity:0}.inline-spoiler-section .spoiler-img{filter:blur(10px)}.inline-spoiler-section.raw{background-color:#333;border-radius:2px}.inline-spoiler-section.raw>*{opacity:0}.inline-spoiler-section.unveil{cursor:auto}.inline-spoiler-section.unveil .spoiler-text{background-color:#3333331a}.inline-spoiler-section.unveil .spoiler-text>*{opacity:1}.inline-spoiler-section.unveil .spoiler-img{filter:none}@media print{blockquote,div,img,pre,table{page-break-inside:avoid!important}a[href]:after{font-size:12px!important}}.markdown-body.slides{color:#222;position:relative;z-index:1}.markdown-body.slides:before{background-color:currentColor;bottom:0;box-shadow:0 0 0 50vw;content:"";display:block;left:0;position:absolute;right:0;top:0;z-index:-1}.markdown-body.slides section[data-markdown]{background-color:#fff;margin-bottom:1.5em;position:relative;text-align:center}.markdown-body.slides section[data-markdown] code{text-align:left}.markdown-body.slides section[data-markdown]:before{content:"";display:block;padding-bottom:56.23%}.markdown-body.slides section[data-markdown]>div:first-child{left:1em;max-height:100%;overflow:hidden;position:absolute;right:1em;top:50%;transform:translateY(-50%)}.markdown-body.slides section[data-markdown]>ul{display:inline-block}.markdown-body.slides>section>section+section:after{border:3px solid #777;content:"";height:1.5em;position:absolute;right:1em;top:-1.5em}.site-ui-font{font-family:Source Sans Pro,Helvetica,Arial,sans-serif}html[lang^=ja] .site-ui-font{font-family:Source Sans Pro,Helvetica,Arial,Hiragino Kaku Gothic Pro,ヒラギノ角ゴ Pro W3,Osaka,Meiryo,メイリオ,MS Gothic,MS ゴシック,sans-serif}html[lang=zh-tw] .site-ui-font{font-family:Source Sans Pro,Helvetica,Arial,PingFang TC,Microsoft JhengHei,微軟正黑,sans-serif}html[lang=zh-cn] .site-ui-font{font-family:Source Sans Pro,Helvetica,Arial,PingFang SC,Microsoft YaHei,微软雅黑,sans-serif}body{font-smoothing:subpixel-antialiased!important;-webkit-font-smoothing:subpixel-antialiased!important;-moz-osx-font-smoothing:auto!important;-webkit-overflow-scrolling:touch;font-family:Source Sans Pro,Helvetica,Arial,sans-serif;letter-spacing:.025em}html[lang^=ja] body{font-family:Source Sans Pro,Helvetica,Arial,Hiragino Kaku Gothic Pro,ヒラギノ角ゴ Pro W3,Osaka,Meiryo,メイリオ,MS Gothic,MS ゴシック,sans-serif}html[lang=zh-tw] body{font-family:Source Sans Pro,Helvetica,Arial,PingFang TC,Microsoft JhengHei,微軟正黑,sans-serif}html[lang=zh-cn] body{font-family:Source Sans Pro,Helvetica,Arial,PingFang SC,Microsoft YaHei,微软雅黑,sans-serif}abbr[title]{border-bottom:none;text-decoration:underline;-webkit-text-decoration:underline dotted;text-decoration:underline dotted}abbr[data-original-title],abbr[title]{cursor:help}body.modal-open{overflow-y:auto;padding-right:0!important}svg{text-shadow:none}

  26.     </style>

  27.     <!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->

  28.     <!-- WARNING: Respond.js doesn't work if you view the page via file:// -->

  29.     <!--[if lt IE 9]>

  30.     	<script src="https://cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv.min.js" integrity="sha256-3Jy/GbSLrg0o9y5Z5n1uw0qxZECH7C6OQpVBgNFYa0g=" crossorigin="anonymous"></script>

  31.     	<script src="https://cdnjs.cloudflare.com/ajax/libs/respond.js/1.4.2/respond.min.js" integrity="sha256-g6iAfvZp+nDQ2TdTR/VVKJf3bGro4ub5fvWSWVRi2NE=" crossorigin="anonymous"></script>

  32. 		<script src="https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.5.9/es5-shim.min.js" integrity="sha256-8E4Is26QH0bD52WoQpcB+R/tcWQtpzlCojrybUd7Mxo=" crossorigin="anonymous"></script>

  33.     <![endif]-->

  34. </head>

  35. 

  36. <body>

  37.     <div id="doc" class="markdown-body container-fluid comment-enabled" data-hard-breaks="true"><h1 id="Lab-10-Logging-and-auditing" data-id="Lab-10-Logging-and-auditing"><a class="anchor hidden-xs" href="#Lab-10-Logging-and-auditing" title="Lab-10-Logging-and-auditing"><span class="octicon octicon-link"></span></a><span>Lab 10: Logging and auditing</span></h1><h2 id="Task-1-journald" data-id="Task-1-journald"><a class="anchor hidden-xs" href="#Task-1-journald" title="Task-1-journald"><span class="octicon octicon-link"></span></a><span>Task 1: journald</span></h2><ul>

  38. <li><span>Journald rate limits log messages and will drop all messages from a service if it passes certain limits. These limits can be configured via </span><code>RateLimitBurst</code><span> and </span><code>RateLimitIntervalSec</code><span>, which default to 10000 and 30s respectively.</span><pre><code>cat /etc/systemd/journald.conf | grep RateLimit

  39. </code></pre>

  40. <span>The rate limiting feature is very handy when you have services that generate a lot of logs.</span></li>

  41. <li><code>journalctl</code><span> is the main tool for interacting with the journal. Run this tool</span><pre><code>$ journalctl

  42. </code></pre>

  43. </li>

  44. <li><span>View all the options you can use with journalctl.</span><pre><code>man journalctl

  45. </code></pre>

  46. </li>

  47. <li><span>Show only the last 10 lines of the journal with the </span><code>-n</code><span> option.</span><pre><code>$ journalctl -n 10

  48. </code></pre>

  49. </li>

  50. <li><span>Follow the logs with the </span><code>-f</code><span> option.</span><pre><code>$ journalctl -f

  51. </code></pre>

  52. </li>

  53. <li><span>View the journal in reverse order. From the newest to the oldest.</span><pre><code>$ journalctl --reverse

  54. </code></pre>

  55. </li>

  56. <li><span>The </span><code>--output</code><span> in journalctl can be used to format the output of the journal in various forms.</span></li>

  57. <li><span>View the journal in json format with the option </span><code>--output=json-pretty</code><span> or just </span><code>--output=json</code><span> if you want it compact.</span><pre><code>$ journalctl --output=json-pretty

  58. </code></pre>

  59. </li>

  60. <li><span>Filter journal for specific systemd unit with the command </span><code>journalctl -u &lt;systemd-unit&gt;</code><span>.</span><pre><code>$ journalctl -u multiuser.target

  61. </code></pre>

  62. </li>

  63. <li><span>You can also filter with the </span><code>-p</code><span> option to specify event severity levels that should be displayed.</span></li>

  64. <li><span>Show only kernel messages.</span><pre><code>$ journalctl --dmesg

  65. </code></pre>

  66. </li>

  67. <li><span>You can filter by time with the </span><code>--since</code><span> and </span><code>--until</code><span> options.</span><pre><code>$ journalctl --since="2022-10-30 23:00:00"

  68. 

  69. OR

  70. 

  71. $ journalctl --since=yesterday --until=now

  72. </code></pre>

  73. </li>

  74. <li><span>You can view the time that the system was reboot in the journal</span><pre><code>$ journalctl MESSAGE="Server listening on 0.0.0.0 port 22."

  75. </code></pre>

  76. </li>

  77. </ul><h2 id="Task-2-rsyslog" data-id="Task-2-rsyslog"><a class="anchor hidden-xs" href="#Task-2-rsyslog" title="Task-2-rsyslog"><span class="octicon octicon-link"></span></a><span>Task 2: rsyslog</span></h2><ul>

  78. <li><span>Use the </span><code>logger</code><span> utility to generate logs.</span><pre><code>$ logger Test

  79. </code></pre>

  80. </li>

  81. <li><span>View the log in </span><code>/varlog/syslog</code><pre><code>$ tail /var/log/syslog

  82. </code></pre>

  83. <span>You should see a line of log similar to the following.</span><pre><code>Oct 30 02:06:04 sna-vm root: Test

  84. </code></pre>

  85. </li>

  86. </ul><p><span>Rsyslog rules typically have the facility and the level. These two combined in the form </span><code>facility.level</code><span> define the priority of the log message.</span></p><blockquote>

  87. <p><span>More about facility and level: </span><a href="https://success.trendmicro.com/dcx/s/solution/TP000086250" target="_blank" rel="noopener"><span>https://success.trendmicro.com/dcx/s/solution/TP000086250</span></a></p>

  88. </blockquote><ul>

  89. <li><span>Create an rsyslog rule that stores all logs with </span><code>mail.emerg</code><span> priority to a log file </span><code>/var/log/test.log</code><span>.</span></li>

  90. <li><span>Do this by adding the following rule to </span><code>/etc/rsyslog.conf</code><span>.</span><pre><code>user.emerg /var/log/test.log

  91. </code></pre>

  92. </li>

  93. <li><span>Restart rsyslog to apply the changes.</span><pre><code>$ systemctl restart rsyslog

  94. </code></pre>

  95. </li>

  96. <li><span>Open a new terminal in another tab where you will run the </span><code>logger</code><span> utility to test this rule and execute the following command.</span><pre><code>$ logger -p user.emerg "test log"

  97. </code></pre>

  98. </li>

  99. <li><span>Go to the previous terminal tab, you should see a message similar to the following:</span><br>

  100. <img src="https://i.imgur.com/jiVqOjg.png" alt="" loading="lazy"><br>

  101. <span>By default, there is a broadcast message everytime an emergency log is received.</span></li>

  102. <li><span>View the log file where the rule we created will save logs of this priority to.</span><pre><code>$ tail /var/log/test.log

  103. </code></pre>

  104. <span>You should get output similar to the following:</span><pre><code>Oct 30 03:24:34 sna-vm user1: test log

  105. </code></pre>

  106. </li>

  107. </ul><h3 id="Logging-rsyslog-to-a-remote-server" data-id="Logging-rsyslog-to-a-remote-server"><a class="anchor hidden-xs" href="#Logging-rsyslog-to-a-remote-server" title="Logging-rsyslog-to-a-remote-server"><span class="octicon octicon-link"></span></a><span>Logging rsyslog to a remote server</span></h3><ul>

  108. <li><span>The rsyslog configuration file is at </span><code>/etc/rsyslog.conf</code><span>.</span></li>

  109. <li><span>Open the configuration file and add the following information. </span><code>IP</code><span> is the IP address of the remote log server.</span><pre><code>*.* @IP

  110. </code></pre>

  111. <blockquote>

  112. <p><span>If you’re using TCP, the syntax is </span><code>*.* @@IP</code><span>.</span><br>

  113. <code>*.*</code><span> means we are forwarding logs of all facility, and all level to the remote server. Essentially forwarding everything.</span><br>

  114. <span>A remote syslog server IP address will be provided in the lab for testing.</span></p>

  115. </blockquote>

  116. </li>

  117. <li><span>Restart the </span><code>rsyslog</code><span> service to apply the changes.</span><pre><code>$ systemctl restart rsyslog

  118. </code></pre>

  119. </li>

  120. </ul><h2 id="Task-3-Logrotate" data-id="Task-3-Logrotate"><a class="anchor hidden-xs" href="#Task-3-Logrotate" title="Task-3-Logrotate"><span class="octicon octicon-link"></span></a><span>Task 3: Logrotate</span></h2><p><span>We have a log file </span><code>/var/log/lab10.log</code><span> that we need to rotate periodically.</span></p><ul>

  121. <li><span>List all configurations created for logrotate to apply on various log files.</span><pre><code>$ ls -lah /etc/logrotate.d/

  122. </code></pre>

  123. </li>

  124. <li><span>Let’s create a custom log rotate configuration. First create the directory:</span><pre><code>$ mkdir /etc/lab10-rotate.d

  125. </code></pre>

  126. </li>

  127. <li><span>Create the file </span><code>/etc/lab10-rotate.d/lab10log</code><span>:</span><pre><code>/var/log/lab10.log {

  128.        su root syslog

  129.        rotate 1

  130.        maxsize 1M

  131.        compress

  132.        delaycompress

  133.    }

  134. </code></pre>

  135. </li>

  136. <li><span>Change the file permissions:</span><pre><code>$ sudo chmod 644 /etc/lab10-rotate.d/lab10log

  137. </code></pre>

  138. </li>

  139. <li><span>Include this new configuration to the </span><code>logrotate</code><span> configuration file.</span><pre><code>$ cat &lt;&lt; EOF | sudo tee /etc/lab10-rotate.conf

  140. # Log rotation information for lab10log

  141. include /etc/lab10-rotate.d

  142. EOF

  143. </code></pre>

  144. </li>

  145. <li><span>Change the file permissions:</span><pre><code>$ sudo chmod 644 /etc/lab10-rotate.conf

  146. </code></pre>

  147. </li>

  148. <li><span>Create a cron job that will run </span><code>logrotate</code><span>. Edit crontab as a root user:</span><pre><code>$ sudo su

  149. $ crontab -e

  150. </code></pre>

  151. <span>Add the following job to cron</span><pre><code>#run command at every 2nd minute

  152. */2 * * * * logrotate /etc/lab10-rotate.d/lab10log

  153. </code></pre>

  154. </li>

  155. </ul><blockquote>

  156. <p><span>You can test and troubleshoot your logrotate configuration by running </span><code>$ logrotate -s logstatus /etc/lab10-rotate.d/lab10log</code><span>.</span><br>

  157. <span>If no message is displayed on the terminal after running the command, it means that the configuration is good.</span><br>

  158. <span>You can look in the target log file directory to verify that the log has been rotated.</span></p>

  159. </blockquote><ul>

  160. <li><span>If you are rotating a running service, it is good practice to restart the service in the logrotate configuration. The format is shown below:</span><pre><code>postrotate

  161.     &lt;command to restart the service&gt;

  162. endscript

  163. </code></pre>

  164. </li>

  165. </ul><h2 id="Task-4-User-authentication-activities" data-id="Task-4-User-authentication-activities"><a class="anchor hidden-xs" href="#Task-4-User-authentication-activities" title="Task-4-User-authentication-activities"><span class="octicon octicon-link"></span></a><span>Task 4: User authentication activities</span></h2><ul>

  166. <li><span>System login activity are saved in the log file </span><code>/var/log/auth.log</code><span>. You can see user sessions opened and other events such as authentication failure.</span></li>

  167. <li><span>Let’s create a new user </span><code>testuser</code><span> which we will use to simulate failed login.</span><pre><code>$ sudo adduser testuser

  168. </code></pre>

  169. <img src="https://i.imgur.com/oh5G1hI.png" alt="" loading="lazy"></li>

  170. <li><span>Try switching to the </span><code>testuser</code><span> with the </span><code>su</code><span> utility. Enter the wrong password on the prompt.</span><pre><code>$ su testuser

  171. Password: 

  172. su: Authentication failure

  173. </code></pre>

  174. </li>

  175. <li><span>Check the log file </span><code>/var/log/auth.log</code><span> to view this failed login activity.</span><pre><code>$ tail /var/log/auth.log

  176. </code></pre>

  177. <span>You should see lines of log similar to the following two. These are the failed login events.</span><pre><code>Oct 30 20:03:07 sna-vm su: pam_unix(su:auth): authentication failure; logname= uid=1000 euid=0 tty=/dev/pts/0 ruser=user1 rhost=  user=testuser

  178. Oct 30 20:03:09 sna-vm su: FAILED SU (to testuser) user1 on pts/0

  179. </code></pre>

  180. </li>

  181. <li><span>Try switching to the </span><code>root</code><span> user. This time, enter three consequtive wrong passwords in the prompt.</span><pre><code>$ sudo su

  182. [sudo] password for user1: 

  183. Sorry, try again.

  184. [sudo] password for user1: 

  185. Sorry, try again.

  186. [sudo] password for user1: 

  187. sudo: 3 incorrect password attempts

  188. </code></pre>

  189. </li>

  190. <li><span>View the authentication log file again.</span><pre><code>$ tail /var/log/auth.log

  191. </code></pre>

  192. <span>You should see the following lines in the output.</span><pre><code>Oct 30 20:09:05 sna-vm sudo: pam_unix(sudo:auth): authentication failure; logname= uid=1000 euid=0 tty=/dev/pts/1 ruser=user1 rhost=  user=user1

  193. Oct 30 20:09:13 sna-vm sudo:    user1 : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/user1 ; USER=root ; COMMAND=/usr/bin/su

  194. </code></pre>

  195. </li>

  196. <li><span>The audit log file contains several other events. We can filter for failed log in attempts with the text filtering editors.</span><pre><code>$ cat /var/log/auth.log | grep -P "(?i)authentication failure|incorrect password"

  197. </code></pre>

  198. </li>

  199. <li><code>journalctl</code><span> can also display such logs. Let’s run journalctl and filter for authentication failure.</span><pre><code>$ journalctl | grep -P "(?i)authentication failure|incorrect password"

  200. </code></pre>

  201. </li>

  202. <li><span>Create a script that automatically extracts these failed authentication logs and save them to another file. This makes it easier to quickly detect security violations.</span><br>

  203. <span>Create the script </span><code>track_auth_fail.sh</code><pre><code>$ vim track_auth_fail.sh

  204. </code></pre>

  205. <span>Add the following content to the script:</span><pre><code class="bash hljs"><div class="wrapper"><div class="gutter linenumber"><span></span>

  206. <span></span>

  207. <span></span>

  208. <span></span>

  209. <span></span></div><div class="code"><span class="hljs-meta">#!/bin/bash</span>

  210. 

  211. <span class="hljs-built_in">tail</span> -n0 -f /var/log/auth.log | \

  212. grep -P --line-buffered <span class="hljs-string">"authentication failure|incorrect password"</span> |\

  213. <span class="hljs-built_in">tee</span> /var/log/failed_auth.log

  214. </div></div></code></pre>

  215. </li>

  216. <li><span>Run the script in the background and suppress it’s output.</span><pre><code>sudo bash track_auth_fail.sh &gt; /dev/null 2&gt;&amp;1 &amp;

  217. </code></pre>

  218. </li>

  219. <li><span>Simulate a failed login for </span><code>testuser</code><span>.</span><pre><code>$ su testuser

  220. Password: 

  221. su: Authentication failure

  222. </code></pre>

  223. </li>

  224. <li><span>Check the new log file with </span><code> $ tail /var/log/failed_auth.log</code><span>and you should see log similar to the following:</span><pre><code>Oct 30 21:15:37 sna-vm su: pam_unix(su:auth): authentication failure; logname= uid=1000 euid=0 tty=/dev/pts/0 ruser=user1 rhost=  user=testuser

  225. </code></pre>

  226. </li>

  227. </ul><h2 id="Task-5-User-sessions-and-sudo-usage" data-id="Task-5-User-sessions-and-sudo-usage"><a class="anchor hidden-xs" href="#Task-5-User-sessions-and-sudo-usage" title="Task-5-User-sessions-and-sudo-usage"><span class="octicon octicon-link"></span></a><span>Task 5: User sessions and sudo usage</span></h2><ul>

  228. <li><span>We can run commands as other users from our login session. When we do this, a new user session is opened. Run a command as </span><code>testuser</code><span>.</span><pre><code>$ su - testuser -c "whoami"

  229. Password: 

  230. testuser

  231. </code></pre>

  232. </li>

  233. <li><span>Now check the auth log file to see if this activity is logged.</span><pre><code>$ tail  /var/log/auth.log

  234. </code></pre>

  235. <span>You should get output similar to the following:</span><pre><code>Oct 30 21:55:49 sna-vm su: (to testuser) user1 on pts/1

  236. Oct 30 21:55:49 sna-vm su: pam_unix(su-l:session): session opened for user testuser(uid=1001) by (uid=1000)

  237. Oct 30 21:55:50 sna-vm su: pam_unix(su-l:session): session closed for user testuser

  238. </code></pre>

  239. <ul>

  240. <li><span>The first line of log above shows that </span><code>user1</code><span> first attempted to use the </span><code>su</code><span> utility to switch to </span><code>testuser</code><span>.</span></li>

  241. <li><span>The second line shows that the session was opened.</span></li>

  242. <li><span>The third line shows that the session was closed. This happened after the command finished executing.</span></li>

  243. </ul>

  244. </li>

  245. <li><span>Sudo usage logs are also saved in </span><code>/var/log/auth.log</code><span>. When a user runs </span><code>sudo</code><span>, they open a sudo session.</span></li>

  246. <li><span>Filter the log file for </span><code>sudo</code><span>. Run the following command:</span><pre><code>$ sudo ip a

  247. </code></pre>

  248. </li>

  249. <li><span>View the log file</span><pre><code>$ tail  /var/log/auth.log

  250. </code></pre>

  251. <span>You should get output siilar to the following:</span><pre><code>Oct 30 22:03:20 sna-vm sudo:    user1 : TTY=pts/0 ; PWD=/home/user1 ; USER=root ; COMMAND=/usr/sbin/ip a

  252. Oct 30 22:03:20 sna-vm sudo: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000)

  253. Oct 30 22:03:20 sna-vm sudo: pam_unix(sudo:session): session closed for user root

  254. </code></pre>

  255. <span>When a user attempts to use sudo to execute a command as </span><code>root</code><span>, that command is logged to the auth file as seen in the first line of the output above.</span></li>

  256. <li><span>Filter the log to view all attempts made to execute commands as </span><code>root</code><span>:</span><pre><code>$ cat /var/log/auth.log | grep -P "USER=root.*COMMAND="

  257. </code></pre>

  258. <span>You should get output similar to the following:</span><pre><code>Oct 30 21:15:23 sna-vm sudo:    user1 : TTY=pts/0 ; PWD=/home/user1 ; USER=root ; COMMAND=/usr/bin/bash track_auth_fail.sh

  259. Oct 30 21:47:54 sna-vm sudo:    user1 : TTY=pts/1 ; PWD=/home/user1 ; USER=root ; COMMAND=/usr/sbin/ip a

  260. Oct 30 22:03:20 sna-vm sudo:    user1 : TTY=pts/0 ; PWD=/home/user1 ; USER=root ; COMMAND=/usr/sbin/ip a

  261. Oct 30 22:07:25 sna-vm sudo:    user1 : 3 incorrect password attempts ; TTY=pts/4 ; PWD=/home/user1 ; USER=root ; COMMAND=/usr/sbin/ip a

  262. </code></pre>

  263. </li>

  264. </ul><h2 id="Questions-to-answer" data-id="Questions-to-answer"><a class="anchor hidden-xs" href="#Questions-to-answer" title="Questions-to-answer"><span class="octicon octicon-link"></span></a><span>Questions to answer</span></h2><ol>

  265. <li><span>What security monitoring tool will you forward your system logs to for security event detection? Give reasons for your choice.</span></li>

  266. <li><span>Configure rsyslogd by adding a rule to the newly created configuration file </span><code>/etc/rsyslog.d/auth-errors.conf</code><span> to log all security and authentication messages with the priority alert and higher to the </span><code>/var/log/auth-errors</code><span> file. Test the newly added log directive with the logger command. Verify it from rsyslog and journald perspectives by filtering the output.</span></li>

  267. <li><span>Install Apache web server and configure log rotate to rotate its web access log every six hours. Compress the rotated log files, and ensure that log rotate restarts the web server after rotating the logs. Manually execute the logrotate utility to test your configuration and show results.</span></li>

  268. <li><span>Create a bash script that continuously monitors the </span><code>/var/log/auth.log</code><span> file and triggers an alarm if there are three or more “authentication failure” in 30 seconds. The text </span><code>Three or more authentication failure in 30 seconds</code><span> should be appended to a log file </span><code>/var/log/alarm.log</code><span> everytime the alarm is triggered. Show test use case and results.</span></li>

  269. <li><span>How can you log all commands executed by every user on Linux systems. What utility will you use for this. Show how you configure this tool, and show the logs generated.</span></li>

  270. </ol><h3 id="Bonus" data-id="Bonus"><a class="anchor hidden-xs" href="#Bonus" title="Bonus"><span class="octicon octicon-link"></span></a><span>Bonus</span></h3><ol start="6">

  271. <li><span>Set up a centralized journald logging server </span><code>systemd-journal-remote</code><span>. Configure another machine as a client to forward its journal to the logging server.</span>

  272. <ul>

  273. <li><span>Test your setup by running the </span><code>logger</code><span> utility on the client system and show the logs generated on the logging server.</span></li>

  274. </ul>

  275. </li>

  276. </ol></div>

  277.     <div class="ui-toc dropup unselectable hidden-print" style="display:none;">

  278.         <div class="pull-right dropdown">

  279.             <a id="tocLabel" class="ui-toc-label btn btn-default" data-toggle="dropdown" href="#" role="button" aria-haspopup="true" aria-expanded="false" title="Table of content">

  280.                 <i class="fa fa-bars"></i>

  281.             </a>

  282.             <ul id="ui-toc" class="ui-toc-dropdown dropdown-menu" aria-labelledby="tocLabel">

  283.                 <div class="toc"><ul class="nav">

  284. <li><a href="#Lab-10-Logging-and-auditing" title="Lab 10: Logging and auditing">Lab 10: Logging and auditing</a><ul class="nav">

  285. <li><a href="#Task-1-journald" title="Task 1: journald">Task 1: journald</a></li>

  286. <li><a href="#Task-2-rsyslog" title="Task 2: rsyslog">Task 2: rsyslog</a><ul class="nav">

  287. <li><a href="#Logging-rsyslog-to-a-remote-server" title="Logging rsyslog to a remote server">Logging rsyslog to a remote server</a></li>

  288. </ul>

  289. </li>

  290. <li><a href="#Task-3-Logrotate" title="Task 3: Logrotate">Task 3: Logrotate</a></li>

  291. <li><a href="#Task-4-User-authentication-activities" title="Task 4: User authentication activities">Task 4: User authentication activities</a></li>

  292. <li><a href="#Task-5-User-sessions-and-sudo-usage" title="Task 5: User sessions and sudo usage">Task 5: User sessions and sudo usage</a></li>

  293. <li><a href="#Questions-to-answer" title="Questions to answer">Questions to answer</a><ul class="nav">

  294. <li><a href="#Bonus" title="Bonus">Bonus</a></li>

  295. </ul>

  296. </li>

  297. </ul>

  298. </li>

  299. </ul>

  300. </div><div class="toc-menu"><a class="expand-toggle" href="#">Expand all</a><a class="back-to-top" href="#">Back to top</a><a class="go-to-bottom" href="#">Go to bottom</a></div>

  301.             </ul>

  302.         </div>

  303.     </div>

  304.     <div id="ui-toc-affix" class="ui-affix-toc ui-toc-dropdown unselectable hidden-print" data-spy="affix" style="top:17px;display:none;" null null>

  305.         <div class="toc"><ul class="nav">

  306. <li><a href="#Lab-10-Logging-and-auditing" title="Lab 10: Logging and auditing">Lab 10: Logging and auditing</a><ul class="nav">

  307. <li><a href="#Task-1-journald" title="Task 1: journald">Task 1: journald</a></li>

  308. <li><a href="#Task-2-rsyslog" title="Task 2: rsyslog">Task 2: rsyslog</a><ul class="nav">

  309. <li><a href="#Logging-rsyslog-to-a-remote-server" title="Logging rsyslog to a remote server">Logging rsyslog to a remote server</a></li>

  310. </ul>

  311. </li>

  312. <li><a href="#Task-3-Logrotate" title="Task 3: Logrotate">Task 3: Logrotate</a></li>

  313. <li><a href="#Task-4-User-authentication-activities" title="Task 4: User authentication activities">Task 4: User authentication activities</a></li>

  314. <li><a href="#Task-5-User-sessions-and-sudo-usage" title="Task 5: User sessions and sudo usage">Task 5: User sessions and sudo usage</a></li>

  315. <li><a href="#Questions-to-answer" title="Questions to answer">Questions to answer</a><ul class="nav">

  316. <li><a href="#Bonus" title="Bonus">Bonus</a></li>

  317. </ul>

  318. </li>

  319. </ul>

  320. </li>

  321. </ul>

  322. </div><div class="toc-menu"><a class="expand-toggle" href="#">Expand all</a><a class="back-to-top" href="#">Back to top</a><a class="go-to-bottom" href="#">Go to bottom</a></div>

  323.     </div>

  324.     <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js" integrity="sha256-hVVnYaiADRTO2PzUGmuLJr8BLUSjGIZsDYGmIJLv2b8=" crossorigin="anonymous"></script>

  325.     <script src="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha256-U5ZEeKfGNOja007MMD3YBI0A3OSZOQbeG6z2f2Y0hu8=" crossorigin="anonymous" defer></script>

  326.     <script src="https://cdnjs.cloudflare.com/ajax/libs/gist-embed/2.6.0/gist-embed.min.js" integrity="sha256-KyF2D6xPIJUW5sUDSs93vWyZm+1RzIpKCexxElmxl8g=" crossorigin="anonymous" defer></script>

  327.     <script>

  328.         var markdown = $(".markdown-body");

  329.         //smooth all hash trigger scrolling

  330.         function smoothHashScroll() {

  331.             var hashElements = $("a[href^='#']").toArray();

  332.             for (var i = 0; i < hashElements.length; i++) {

  333.                 var element = hashElements[i];

  334.                 var $element = $(element);

  335.                 var hash = element.hash;

  336.                 if (hash) {

  337.                     $element.on('click', function (e) {

  338.                         // store hash

  339.                         var hash = this.hash;

  340.                         if ($(hash).length <= 0) return;

  341.                         // prevent default anchor click behavior

  342.                         e.preventDefault();

  343.                         // animate

  344.                         $('body, html').stop(true, true).animate({

  345.                             scrollTop: $(hash).offset().top

  346.                         }, 100, "linear", function () {

  347.                             // when done, add hash to url

  348.                             // (default click behaviour)

  349.                             window.location.hash = hash;

  350.                         });

  351.                     });

  352.                 }

  353.             }

  354.         }

  355. 

  356.         smoothHashScroll();

  357.         var toc = $('.ui-toc');

  358.         var tocAffix = $('.ui-affix-toc');

  359.         var tocDropdown = $('.ui-toc-dropdown');

  360.         //toc

  361.         tocDropdown.click(function (e) {

  362.             e.stopPropagation();

  363.         });

  364. 

  365.         var enoughForAffixToc = true;

  366. 

  367.         function generateScrollspy() {

  368.             $(document.body).scrollspy({

  369.                 target: ''

  370.             });

  371.             $(document.body).scrollspy('refresh');

  372.             if (enoughForAffixToc) {

  373.                 toc.hide();

  374.                 tocAffix.show();

  375.             } else {

  376.                 tocAffix.hide();

  377.                 toc.show();

  378.             }

  379.             $(document.body).scroll();

  380.         }

  381. 

  382.         function windowResize() {

  383.             //toc right

  384.             var paddingRight = parseFloat(markdown.css('padding-right'));

  385.             var right = ($(window).width() - (markdown.offset().left + markdown.outerWidth() - paddingRight));

  386.             toc.css('right', right + 'px');

  387.             //affix toc left

  388.             var newbool;

  389.             var rightMargin = (markdown.parent().outerWidth() - markdown.outerWidth()) / 2;

  390.             //for ipad or wider device

  391.             if (rightMargin >= 133) {

  392.                 newbool = true;

  393.                 var affixLeftMargin = (tocAffix.outerWidth() - tocAffix.width()) / 2;

  394.                 var left = markdown.offset().left + markdown.outerWidth() - affixLeftMargin;

  395.                 tocAffix.css('left', left + 'px');

  396.             } else {

  397.                 newbool = false;

  398.             }

  399.             if (newbool != enoughForAffixToc) {

  400.                 enoughForAffixToc = newbool;

  401.                 generateScrollspy();

  402.             }

  403.         }

  404.         $(window).resize(function () {

  405.             windowResize();

  406.         });

  407.         $(document).ready(function () {

  408.             windowResize();

  409.             generateScrollspy();

  410.         });

  411. 

  412.         //remove hash

  413.         function removeHash() {

  414.             window.location.hash = '';

  415.         }

  416. 

  417.         var backtotop = $('.back-to-top');

  418.         var gotobottom = $('.go-to-bottom');

  419. 

  420.         backtotop.click(function (e) {

  421.             e.preventDefault();

  422.             e.stopPropagation();

  423.             if (scrollToTop)

  424.                 scrollToTop();

  425.             removeHash();

  426.         });

  427.         gotobottom.click(function (e) {

  428.             e.preventDefault();

  429.             e.stopPropagation();

  430.             if (scrollToBottom)

  431.                 scrollToBottom();

  432.             removeHash();

  433.         });

  434. 

  435.         var toggle = $('.expand-toggle');

  436.         var tocExpand = false;

  437. 

  438.         checkExpandToggle();

  439.         toggle.click(function (e) {

  440.             e.preventDefault();

  441.             e.stopPropagation();

  442.             tocExpand = !tocExpand;

  443.             checkExpandToggle();

  444.         })

  445. 

  446.         function checkExpandToggle () {

  447.             var toc = $('.ui-toc-dropdown .toc');

  448.             var toggle = $('.expand-toggle');

  449.             if (!tocExpand) {

  450.                 toc.removeClass('expand');

  451.                 toggle.text('Expand all');

  452.             } else {

  453.                 toc.addClass('expand');

  454.                 toggle.text('Collapse all');

  455.             }

  456.         }

  457. 

  458.         function scrollToTop() {

  459.             $('body, html').stop(true, true).animate({

  460.                 scrollTop: 0

  461.             }, 100, "linear");

  462.         }

  463. 

  464.         function scrollToBottom() {

  465.             $('body, html').stop(true, true).animate({

  466.                 scrollTop: $(document.body)[0].scrollHeight

  467.             }, 100, "linear");

  468.         }

  469.     </script>

  470. </body>

  471. 

  472. </html>