User Logon

Enabled by default

Service: syslog

Log type: auth.log

A users log in will likely be the first sign of an attack and can indicate suspicious behavior. It can also give an analyst a starting time to create a timeline of events. This log is required in the HIPAA and PCI DSS regulations.

View Logs

grep "session opened" /var/log/auth.log

Check Logging Status

Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!

Disable Logging

Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!

Enable Logging

Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!

Language: bash

Back to Linux Ubuntu

Compliance

HIPAA

Level: Recommended

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf?language=es

PCI DSS

Level: Required

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1631643252599

NSA Event Forwarding

Level: Recommended

https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events

JPCERT/CC

Level:

https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf

Linux logs call a user login event session opened. There may be logs from a “user” called GDM; this is just the graphical login screen and will show up if a user switched accounts graphically. In order to view this event from the Logs application, select the Security tab and search for opened.

To view this log through the command line, launch the terminal and enter the command grep "session opened" /var/log/auth.log.