Ad Widget


information Security Management

  • Filter
  • Time
  • Show
Clear All
new posts

    information Security Management

    Hello, I'm assisting an organisation improved their information security management systems. They use Zabbix extensively for monitoring and I'm wondering if it can report system administrator user logins by server showing last login time, and what privileges the account has (superuser etc)?

    This is part of improving access controls by understanding who has access, and limiting elevated privileges by regularly checking accounts and having an asset owner approve access.

    Any help greatly received?


    We do something like this, however we log to Splunk not Zabbix. But this might help you get started:

    First start logging all user shell commands locally via syslog.
    Edit the /etc/profile
    # Set history file formats and realtime recording
    readonly export HISTTIMEFORMAT='%F %T '
    readonly export HISTCONTROL=ignoredups:erasedups
    shopt -s histappend* * * # append to history, don't overwrite it
    # Now send commands to syslog
    readonly export PROMPT_COMMAND='trap "" 1 2 15; history -a >(tee -a ~/.bash_history | while read line; do if [[ $line =~ ^#[0-9]*$ ]]; then continue; fi; logger -p local6.debug -t ":bash[$$]"* "($SUDO_USER)$USER): $line"; done); trap 1 2 15;'

    Edit /etc/rsyslog.conf`
    # Command History logging
    local6.** * /var/log/commands.log

    Configure the zabbix agent for Active Checks

    Configure the Zabbix item:
    Type: Zabbix agent(active)
    Key: log[/var/log/commands.log,,,,,,]
    Type of information: Text

    Your Zabbix history should look like this:
    Timestamp Value
    2017-04-07 08:48:03 Apr 11 11:10:23 zabbix-client1 :bash[2540]: ()tom): service sshd restart
    2017-04-07 08:47:48 Apr 11 11:10:11 zabbix-client1 :bash[2540]: ()tom): whoami
    2017-04-07 08:47:48 Apr 11 11:10:08 zabbix-client1 :bash[2540]: ()tom): sudo -i
    2017-04-07 08:47:18 Apr 11 11:09:34 zabbix-client1 :bash[2639]: (tom)root): cd ..
    2017-04-07 08:47:18 Apr 11 11:09:31 zabbix-client1 :bash[2639]: (tom)root): tail -f zabbix_agentd.log
    2017-04-07 08:46:03 Apr 11 11:08:30 zabbix-client1 :bash[2639]: (tom)root): service zabbix-agent restart
    Last edited by tball; 11-04-2017, 17:46. Reason: add screen shot



    No announcement yet.