(Very
Basic Perl Parsing #1: /var/log/auth.log)
{ Searching for SUDO}
- Background
- The Authorization Log tracks usage of
authorization systems, the mechanisms for authorizing users which prompt for
user passwords, such as the Pluggable Authentication Module (PAM) system,
the sudo command, remote logins to sshd and so on. The Authorization Log
file may be accessed at /var/log/auth.log. This log is useful for learning
about user logins and usage of the sudo command.
- Login to your
TargetUbuntu01 VM, as username administrator
- For those of you that do not have access to
my class, the TargetUbuntu01 VM is a Linux Ubuntu Operating System.
Section 1: Creating
a very very basic Perl Script To Parse /var/log/auth.log |
- Command:
vi parse_authlog.pl
- Place the below contents in your parse_authlog.pl script (See Below)
- #!/usr/bin/perl
#Create Array, by filling it with grep'ing for sudo
#in the auth.log file
#----------------------------------------------------
@DATA = `grep sudo /var/log/auth.log`;
#Counter variable for current line number
#----------------------------------------------------
my $cnt = 0;
foreach my $line (@DATA)
{
chomp($line);
print "Line ($cnt): $line\n";
#Increment cnt variable
$cnt++;
print "-------------------------------------\n";
}
- Command:
chmod 700 parse_authlog.pl
- chmod gives read, write and execute
permissions to the perl script parse_authlog.pl
- Note:
If a script does not have at least read(4) and execute(1) permission,
then the script will not execute.
- Command:
./parse_authlog.pl -OR- perl parse_authlog.pl
- To execute a perl script you can do the
following
- ./parse_authlog.pl
- perl parse_authlog.pl
- Your contents should look like (See Below).
- Note:
Pay attention to the USER and which COMMAND was run.
- It should be
red flag that the
usernames for "sudo: administrator" and "USER=root" are not both
administrator.
- Do a screen print of Section 1, Step 5 into a
word document and submit to moodle.
|
 
|