information Security Management

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

    information Security Management

    Hello, I'm assisting an organisation improved their information security management systems. They use Zabbix extensively for monitoring and I'm wondering if it can report system administrator user logins by server showing last login time, and what privileges the account has (superuser etc)?

    This is part of improving access controls by understanding who has access, and limiting elevated privileges by regularly checking accounts and having an asset owner approve access.

    Any help greatly received?

    Regards
    Paul

    #2
    We do something like this, however we log to Splunk not Zabbix. But this might help you get started:

    First start logging all user shell commands locally via syslog.
    Edit the /etc/profile
    # Set history file formats and realtime recording
    readonly export HISTTIMEFORMAT='%F %T '
    readonly export HISTCONTROL=ignoredups:erasedups
    shopt -s histappend* * * # append to history, don't overwrite it
    # Now send commands to syslog
    readonly export PROMPT_COMMAND='trap "" 1 2 15; history -a >(tee -a ~/.bash_history | while read line; do if [[ $line =~ ^#[0-9]*$ ]]; then continue; fi; logger -p local6.debug -t ":bash[$$]"* "($SUDO_USER)$USER): $line"; done); trap 1 2 15;'


    Edit /etc/rsyslog.conf`
    # Command History logging
    local6.** * /var/log/commands.log



    Configure the zabbix agent for Active Checks
    ListenIP=192.168.yyy.yyy
    ServerActive=192.168.xxx.xxx
    RefreshActiveChecks=60
    MaxLinesPerSecond=20


    Configure the Zabbix item:
    Type: Zabbix agent(active)
    Key: log[/var/log/commands.log,,,,,,]
    Type of information: Text



    Your Zabbix history should look like this:
    Timestamp Value
    2017-04-07 08:48:03 Apr 11 11:10:23 zabbix-client1 :bash[2540]: ()tom): service sshd restart
    2017-04-07 08:47:48 Apr 11 11:10:11 zabbix-client1 :bash[2540]: ()tom): whoami
    2017-04-07 08:47:48 Apr 11 11:10:08 zabbix-client1 :bash[2540]: ()tom): sudo -i
    2017-04-07 08:47:18 Apr 11 11:09:34 zabbix-client1 :bash[2639]: (tom)root): cd ..
    2017-04-07 08:47:18 Apr 11 11:09:31 zabbix-client1 :bash[2639]: (tom)root): tail -f zabbix_agentd.log
    2017-04-07 08:46:03 Apr 11 11:08:30 zabbix-client1 :bash[2639]: (tom)root): service zabbix-agent restart
    Last edited by tball; 11-04-2017, 17:46. Reason: add screen shot

    Comment

    Announcement

    Collapse
    No announcement yet.
    Working...
    X