How to identify privilege escalation attempts in Linux logs

0 votes

I need to monitor Linux logs for signs of privilege escalation attempts but I’m unsure which logs to check and how to interpret them. Specifically, I want to know:

  • What log files (/var/log/auth.log, /var/log/secure, etc.) record sudo and su activities?
  • How to detect suspicious commands indicating privilege escalation (e.g., exploitation of SUID binaries, kernel exploits)?
  • How to set up real-time monitoring or alerts for such attempts using tools like auditd or OSSEC?

A guide on detecting and responding to privilege escalation attempts would be helpful.

Feb 25 in Cyber Security & Ethical Hacking by Anupam
• 12,620 points 27 views

No answer to this question. Be the first to respond.

Your answer

Your name to display (optional):
Privacy: Your email address will only be used for sending these notifications.
0 votes

Monitoring Linux systems for privilege escalation attempts is crucial for maintaining security and preventing unauthorized access. Here's a comprehensive guide to help you identify and respond to such activities:

1. Key Log Files for Monitoring

  • /var/log/auth.log: Records authentication-related events, including sudo and su activities. Commonly found on Debian-based systems like Ubuntu.

  • /var/log/secure: Captures security-related messages, including authentication attempts and privilege escalations. Typically present on Red Hat-based systems like CentOS and Fedora.

2. Detecting Suspicious Commands

  • SUID Binaries Exploitation: Attackers may exploit misconfigured SUID (Set User ID) binaries to gain elevated privileges. Regularly scan for such binaries using:

    find / -perm -4000 -type f 2>/dev/null

    Monitor execution of these binaries by setting up audit rules with auditd.

  • Kernel Exploits: Unusual activities, such as loading/unloading kernel modules, can indicate exploitation attempts. Monitor /var/log/kern.log and use auditd to track the use of system calls like init_module and delete_module.

3. Setting Up Real-Time Monitoring and Alerts

  • auditd (Linux Auditing System):

    • Installation:

      sudo apt install auditd audispd-plugins  # For Debian-based systems
sudo yum install audit  # For Red Hat-based systems

    • Configuration: Define rules in /etc/audit/rules.d/audit.rules to monitor specific actions. For example, to log attempts to access the /etc/passwd file:

      -w /etc/passwd -p wa -k passwd_changes

      This rule watches (-w) the /etc/passwd file for write and attribute changes (-p wa) and tags the events with the key passwd_changes.

    • Starting the Service:

      sudo systemctl start auditd
sudo systemctl enable auditd

    • Viewing Logs:

      sudo ausearch -k passwd_changes

  • OSSEC (Open Source HIDS SECurity):

    • Installation: Follow the official OSSEC installation guide to set up the OSSEC manager and agents on your systems.

    • Configuration: Define rules to detect unauthorized privilege escalations. For instance, to monitor the execution of the pkexec command (associated with certain exploits):

      <group name="privilege_escalation">
  <rule id="100001" level="12">
    <if_sid>1002</if_sid>
    <regex>pkexec</regex>
    <description>Potential pkexec exploitation attempt detected.</description>
    <mitre>
      <id>T1068</id>
    </mitre>
  </rule>
</group>

      This rule triggers an alert when the pkexec command is executed, indicating a potential privilege escalation attempt.

    • Active Response: Configure OSSEC to execute predefined actions, such as blocking an IP address or disabling a user account, when specific alerts are triggered.

4. Best Practices for Detecting and Responding to Privilege Escalation Attempts

  • Regular Log Review: Consistently monitor and analyze logs from /var/log/auth.log, /var/log/secure, and audit logs to identify unusual activities.

  • Implement Principle of Least Privilege: Ensure users have only the permissions necessary for their roles, reducing the risk of unauthorized privilege escalation.

  • User Education: Train users on security best practices, emphasizing the importance of safeguarding their credentials and recognizing potential security threats.

  • Automated Alerts: Set up automated alerts for suspicious activities, such as multiple failed sudo attempts or changes to critical system files.

  • Regular Updates: Keep your system and security tools up to date to protect against known vulnerabilities and exploits.

By implementing these strategies and utilizing tools like auditd and OSSEC, you can effectively monitor for and respond to privilege escalation attempts on your Linux systems.

answered Feb 25 by CaLLmeDaDDY
 • 22,940 points
edited Mar 6

Related Questions In Cyber Security & Ethical Hacking

0 votes
1 answer

How to script a privilege escalation attack simulation in Linux?

Simulating a privilege escalation attack in Linux ...READ MORE

answered Feb 19 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
 • 22,940 points 90 views
0 votes
1 answer

How to identify Entry points for user input in a web application?

Following are the key entry points for ...READ MORE

answered Aug 22, 2019 in Cyber Security & Ethical Hacking by Raman
 2,241 views
+1 vote
1 answer

How can automated testing be employed to identify vulnerabilities in software during development?

In order to employ automated testing to ...READ MORE

answered Nov 7, 2024 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
 • 22,940 points 104 views
0 votes
1 answer

How to close a port in Linux?

Closing ports in Linux is essential for ...READ MORE

answered Nov 13, 2024 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
 • 22,940 points 121 views
0 votes
1 answer

How do you detect brute force login attempts in Apache logs?

Monitoring Apache web server logs is essential ...READ MORE

answered Feb 19 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
 • 22,940 points 40 views
0 votes
0 answers

How to track deleted log files in a compromised Linux system?

After a suspected security incident, I discovered ...READ MORE

Feb 25 in Cyber Security & Ethical Hacking by Anupam
• 12,620 points 43 views
+1 vote
1 answer

How do you decrypt a ROT13 encryption on the terminal itself?

Yes, it's possible to decrypt a ROT13 ...READ MORE

answered Oct 17, 2024 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
 • 22,940 points 452 views
+1 vote
1 answer

How does the LIMIT clause in SQL queries lead to injection attacks?

The LIMIT clause in SQL can indeed ...READ MORE

answered Oct 17, 2024 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
 • 22,940 points 422 views
+1 vote
1 answer

Is it safe to use string concatenation for dynamic SQL queries in Python with psycopg2?

The use of string concatenation while building ...READ MORE

answered Oct 17, 2024 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
 • 22,940 points 276 views
+1 vote
1 answer

How can I use Python for web scraping to gather information during reconnaissance?

Python is considered to be an excellent ...READ MORE

answered Oct 17, 2024 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
 • 22,940 points 251 views
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP
"PMP®","PMI®", "PMI-ACP®" and "PMBOK®" are registered marks of the Project Management Institute, Inc. MongoDB®, Mongo and the leaf logo are the registered trademarks of MongoDB, Inc.