Security log
The /var/log/secure file logs all security-related events dealing with authorization or authentication. For example, whenever someone logs into the system, switches users with su, or makes sudo command use, a log entry is generated and stored in /var/log/secure.
Other events include authentication attempts, SSH logins, SELinux denials, and other security-related events.
Here are examples of various activities that you might find in secure that is relevant for a forensic investigation.
User Creation: When a new user is added to the system, it's logged. Theuseraddcommand logs information about the new user, including the username, UID, GID, home directory, and shell.
Jul 7 00:55:34 rhel-richmondfc useradd[48265]: new group: name=keeley, GID=1002
Jul 7 00:55:34 rhel-richmondfc useradd[48265]: new user: name=keeley, UID=1001, GID=1002, home=/home/keeley, shell=/bin/bash, from=/dev/pts/0
Password Change: When a user's password is changed using thepasswdcommand.
Jul 7 00:57:44 rhel-richmondfc passwd[48311]: pam_unix(passwd:chauthtok): password changed for keeley
User Deletion: When a user is deleted from the system, theuserdelcommand logs the event.
Jul 7 00:58:09 rhel-richmondfc userdel[48328]: delete user 'keeley'
Jul 7 00:58:09 rhel-richmondfc userdel[48328]: removed group 'keeley' owned by 'keeley'
Jul 7 00:58:09 rhel-richmondfc userdel[48328]: removed shadow group 'keeley' owned by 'keeley'
sudocommand usage: Any command executed usingsudowill be logged, including the user who ran the command and the command itself.
Jul 7 00:57:44 rhel-richmondfc sudo[48309]: pam_unix(sudo:session): session closed for user root
Jul 7 00:58:09 rhel-richmondfc sudo[48326]: tlasso : TTY=pts/0 ; PWD=/var/log ; USER=root ; COMMAND=/sbin/userdel keeley
Jul 7 00:58:09 rhel-richmondfc sudo[48326]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000)
Jul 7 00:58:09 rhel-richmondfc userdel[48328]: delete user 'keeley'
Jul 7 00:58:09 rhel-richmondfc userdel[48328]: removed group 'keeley' owned by 'keeley'
Jul 7 00:58:09 rhel-richmondfc userdel[48328]: removed shadow group 'keeley' owned by 'keeley'
Jul 7 00:58:09 rhel-richmondfc sudo[48326]: pam_unix(sudo:session): session closed for user root
In the above example a sudo user session is established and the delete command is issued by the user.
A summay of the various daemons writing to the security log file can be created using the following.
sudo cat secure* | awk '{print $5}' | sed 's/\[[^]]*\]//' | sort | uniq
[tlasso@rhel-richmondfc log]$ sudo cat secure* | awk '{print $5}' | sed 's/\[[^]]*\]//' | sort | uniq
atd:
gdm-launch-environment:
gdm-password:
passwd:
pkexec:
polkitd:
sshd:
sssctl:
su:
sudo:
systemd:
unix_chkpwd:
useradd:
userdel:
usermod: