ComputerSecurityStudent (CSS) [Login] [Join Now]




|UNIX >> SUDO >> Current Page |Views: 16309

(Very Basic Perl Parsing #1: /var/log/auth.log)

{ Searching for SUDO}


Background Information
  • Background
    • The Authorization Log tracks usage of authorization systems, the mechanisms for authorizing users which prompt for user passwords, such as the Pluggable Authentication Module (PAM) system, the sudo command, remote logins to sshd and so on. The Authorization Log file may be accessed at /var/log/auth.log. This log is useful for learning about user logins and usage of the sudo command.

     

Prerequisite
  1. Login to your TargetUbuntu01 VM, as username administrator
    • For those of you that do not have access to my class, the TargetUbuntu01 VM is a Linux Ubuntu Operating System.

     

Section 1: Creating a very very basic Perl Script To Parse /var/log/auth.log
  1. Command:  vi parse_authlog.pl

     

  2. Place the below contents in your parse_authlog.pl script (See Below)
    • #!/usr/bin/perl

      #Create Array, by filling it with grep'ing for sudo
      #in the auth.log file
      #----------------------------------------------------
      @DATA = `grep sudo /var/log/auth.log`;

      #Counter variable for current line number
      #----------------------------------------------------
      my $cnt = 0;

      foreach my $line (@DATA)
      {
           chomp($line);
           print "Line ($cnt): $line\n";

           #Increment cnt variable
           $cnt++;
           print "-------------------------------------\n";
      }

     

     

  3. Command: chmod 700 parse_authlog.pl
    • chmod gives read, write and execute permissions to the perl script parse_authlog.pl
    • Note: If a script does not have at least read(4) and execute(1) permission, then the script will not execute.

     

  4. Command: ./parse_authlog.pl -OR- perl parse_authlog.pl
    • To execute a perl script you can do the following
      1. ./parse_authlog.pl

         

      2. perl parse_authlog.pl

     

  5. Your contents should look like (See Below).
    • Note: Pay attention to the USER and which COMMAND was run.
    • It should be red flag that the usernames for "sudo: administrator" and "USER=root" are not both administrator.

 

Proof of Lab
  1. Do a screen print of Section 1, Step 5 into a word document and submit to moodle.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth