Limit Logging from SSH Session
To avoid logging in /var/log/wtmp
ssh root@10.10.10.10 bash -c /bin/sh
OR
ssh root@10.10.10.10 bash -i
OR
ssh root@10.10.10.10 /bin/sh <-- Best option
Finding Writable Directories for your Current User
find / -type d -perm -0222 2>/dev/null
Good hiding spots are tmpfs file systems. Run the mount command to view tmpfs filesystems:
Main log files can be identified by viewing
Majority of the log files are located in:
Kill bash shell and prevent command writing to .bash_history
Dont save history for shell session, run as your first command when you get on a box
unset HISTFILE HISTFILESIZE HISTSIZE PROMPT_COMMAND
On some distributions adding a leading space will prevent the command from writing (old distros)
This will only work if the environmental variable HISTCONTROL is set to ignorespace
Accounting Entries in Unix
Currently logged in users
Distro Dependent
Successful login attempts
Unsuccessful login attempts
Some admins will turn this off, so evidence of miss typed password in the username field are not saved
File to show login name, port, and last login time for each user
These are binary files and need special tools in order to edit
/var/log/auth.log
/var/log/syslog
/var/log/messages
/var/spool/mail/root
/var/log/secure
/var/log/cron
/var/log/httpd/access_log*
/var/log/httpd/error_log*
##Dont forget the journel##
Filename
Purpose
auth.log
System authentication and security events
boot.log
A record of boot-related events
dmesg
Kernel-ring buffer events related to device drivers
dpkg.log
Software package-management events
kern.log
Linux kernel events
syslog
A collection of all logs
wtmp
Tracks user sessions (accessed through the who and last commands)
Level
Description
debug
Helpful for debugging
info
Informational
notice
Normal conditions
warn
Conditions requiring warnings
err
Error conditions
crit
Critical conditions
alert
Immediate action required
emerg
System unusable