[go: up one dir, main page]
Scribd
Upload
19 views8 pages

Auditing Operating Systems

This document provides a comprehensive guide for auditing operating systems through daily, weekly, and monthly procedures using automated scripts. It includes steps for preparing the audit environment, creating audit scripts, scheduling audits, and reviewing logs, along with recommendations for best practices. The manual emphasizes the importance of security, compliance, and operational integrity in maintaining operating systems.

Uploaded by

mcparunkumar2
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views8 pages

Auditing Operating Systems

This document provides a comprehensive guide for auditing operating systems through daily, weekly, and monthly procedures using automated scripts. It includes steps for preparing the audit environment, creating audit scripts, scheduling audits, and reviewing logs, along with recommendations for best practices. The manual emphasizes the importance of security, compliance, and operational integrity in maintaining operating systems.

Uploaded by

mcparunkumar2
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

AUDIT OPERATING SYSTMS

DAILY, WEEKLY, MONTHLY

Asfaw Gedamu

Download this and similar documents from:


https://t.me/paragonacademy
July 15,2023
Caution: Please use the commands with
care, try them on test environments first.

1. Introduction
Auditing an operating system is essential for maintaining security, compliance, and
operational integrity. This manual provides a step-by-step guide to implementing daily,
weekly, and monthly OS audit procedures using automated scripts and best practices.

2. Preparing the Audit Environment


Step 2.1: Create a Dedicated Audit User
sudo adduser audituser
sudo usermod -aG sudo audituser

Step 2.2: Create Audit Scripts Directory


mkdir /opt/os_audit
chmod 700 /opt/os_audit
chown audituser:audituser /opt/os_audit

Step 2.3: Set Up Log Storage


mkdir /var/log/os_audit
chmod 700 /var/log/os_audit
chown audituser:audituser /var/log/os_audit

3. Daily Audit Script


Script Path: /opt/os_audit/daily_audit.sh
#!/bin/bash

LOG_DIR="/var/log/os_audit"
DATE=$(date +"%Y-%m-%d")
LOG_FILE="$LOG_DIR/daily_audit_$DATE.log"
echo "Starting Daily OS Audit at $(date)" > $LOG_FILE

# 1. Failed Login Attempts (last 24 hours)


echo -e "\n[+] Failed Login Attempts (Today):" >> $LOG_FILE
grep "Failed password" /var/log/auth.log | grep "$(date +"%b
%d")" >> $LOG_FILE

# 2. Active Processes (running now)


echo -e "\n[+] Running Processes:" >> $LOG_FILE
ps -ef --sort=start_time >> $LOG_FILE

# 3. Recently Modified Files (last 24 hours)


echo -e "\n[+] Files Modified in Last 24 Hours:" >> $LOG_FILE
find / -type f -mtime -1 -ls 2>/dev/null >> $LOG_FILE

# 4. Current Logged-In Users


echo -e "\n[+] Currently Logged In Users:" >> $LOG_FILE
who >> $LOG_FILE

# 5. System Uptime & Load


echo -e "\n[+] System Uptime and Load:" >> $LOG_FILE
uptime >> $LOG_FILE

echo "Daily OS Audit completed at $(date)" >> $LOG_FILE

Permissions & Scheduling


chmod +x /opt/os_audit/daily_audit.sh
sudo chown audituser:audituser /opt/os_audit/daily_audit.sh

Add to cron:
crontab -u audituser -e
# Run daily audit at 2 AM
0 2 * * * /opt/os_audit/daily_audit.sh
4. Weekly Audit Script
Script: /opt/os_audit/weekly_audit.sh
#!/bin/bash

LOG_DIR="/var/log/os_audit"
DATE=$(date +"%Y-%m-%d")
LOG_FILE="$LOG_DIR/weekly_audit_$DATE.log"

echo "Starting Weekly OS Audit at $(date)" > $LOG_FILE

# 1. Failed Login Attempts (last 7 days)


echo -e "\n[+] Failed Login Attempts (Last 7 Days):" >>
$LOG_FILE
journalctl _SYSTEMD_UNIT=sshd.service | grep "Failed password" |
grep "$(date -d '7 days ago' +"%b %d")" >> $LOG_FILE

# 2. Top 10 Most Active Users (by login count)


echo -e "\n[+] Top 10 Users by Login Count:" >> $LOG_FILE
lastlog | awk 'NR>1 {print $1}' | sort | uniq -c | sort -nr |
head -10 >> $LOG_FILE

# 3. Services Started in the Last Week


echo -e "\n[+] Services Started in Last 7 Days:" >> $LOG_FILE
journalctl --since "7 days ago" | grep "Started" | grep -i
service >> $LOG_FILE

# 4. Disk Usage Summary


echo -e "\n[+] Disk Usage Summary:" >> $LOG_FILE
df -h >> $LOG_FILE

# 5. Root Activity Check


echo -e "\n[+] Root Login Activity (Last 7 Days):" >> $LOG_FILE
grep "root" /var/log/auth.log | grep "$(date -d '7 days ago'
+"%b %d")" >> $LOG_FILE

echo "Weekly OS Audit completed at $(date)" >> $LOG_FILE


Scheduling:
# Run weekly audit every Sunday at 2 AM

0 2 * * 0 /opt/os_audit/weekly_audit.sh

5. Monthly Audit Script


Script: /opt/os_audit/monthly_audit.sh
#!/bin/bash

LOG_DIR="/var/log/os_audit"
DATE=$(date +"%Y-%m-%d")
LOG_FILE="$LOG_DIR/monthly_audit_$DATE.log"

echo "Starting Monthly OS Audit at $(date)" > $LOG_FILE

# 1. Failed Login Attempts (last 30 days)


echo -e "\n[+] Failed Login Attempts (Last 30 Days):" >>
$LOG_FILE
journalctl --since "30 days ago" | grep "Failed password" >>
$LOG_FILE

# 2. List of Installed Packages


echo -e "\n[+] Installed Packages:" >> $LOG_FILE
dpkg --get-selections >> $LOG_FILE

# 3. Kernel Updates & Reboots


echo -e "\n[+] Recent Kernel Updates & Reboots:" >> $LOG_FILE
grep "kernel" /var/log/apt/history.log >> $LOG_FILE
last reboot >> $LOG_FILE

# 4. Critical File Integrity Check (using sha256sum)


echo -e "\n[+] SHA256 Hashes of Critical Files:" >> $LOG_FILE
sha256sum /etc/passwd /etc/shadow /etc/sudoers >> $LOG_FILE

# 5. Monthly Summary Report


echo -e "\n[+] Monthly System Summary:" >> $LOG_FILE
systemctl list-units --type=service --state=running >> $LOG_FILE
echo "Monthly OS Audit completed at $(date)" >> $LOG_FILE

Scheduling:
# Run monthly audit on the 1st day of every month at 2 AM

0 2 1 * * /opt/os_audit/monthly_audit.sh

6. Reviewing and Analyzing Audit Logs


Step 6.1: Log Retention Policy
Ensure old logs are archived or rotated:
sudo cp /etc/logrotate.conf /etc/logrotate.conf.bak
sudo nano /etc/logrotate.conf

Add:

/var/log/os_audit/*.log {
monthly
rotate 12
compress
missingok
notifempty
}

Step 6.2: Use Tools for Analysis


• Logwatch : Install and configure for daily summary emails.
sudo apt install logwatch
sudo logwatch --detail High --mailto admin@example.com

Auditd : Install and configure real-time file integrity monitoring.


sudo apt install auditd
sudo auditctl -w /etc/passwd -p war -k passwd_changes
Step 6.3: Alerting and Notifications
• Configure email alerts using mail or integrate with SIEM tools (e.g., ELK Stack,
Splunk).

Use tools like fail2ban to block suspicious IPs automatically.

Step 6.4: Alerting and Notifications


Output Management

Redirect logs to:

• /opt/os_audit/logs/
• Optionally compress and archive monthly logs:

tar -czf /opt/os_audit/archive/monthly_$(date +%B).tar.gz


/opt/os_audit/logs/*$(date +%Y-%m)*

7. Recommendations and Best Practices

1. Use Centralized Logging

o Forward logs to a centralized log server using rsyslog or syslog-ng.

2. Implement Role-Based Access Control (RBAC)

o Restrict access to audit logs and scripts based on roles.

3. Regularly Update Baselines

o Keep track of baseline metrics (normal processes, users, etc.) for anomaly
detection.

4. Include Compliance Checks

o Use tools like Lynis , OpenSCAP , or CIS-CAT for compliance audits.

5. Document Findings

o Maintain a formal record of audit findings, remediation actions, and sign-


offs.
8. Conclusion
This manual expands on basic OS auditing concepts, offering a comprehensive, structured,
and secure approach to automating and analyzing Linux system audits. It includes
automation, logging, analysis, and integration with enterprise-level practices, ensuring
better visibility, accountability, and compliance with industry standards.

You might also like