LogGUI

Graphical Representation of Linux’s Auth.log

LOG-GUI

ABSTRACT

The auth log in Linux systems tracks authorization attempts in the system. This includes what user and what mechanism. Some examples of this are ssh logins or sudo commands. This project creates visualization of the auth log. The intention is to make it easier to identify unusual activity occurring in the system. It includes visualizations for privileged command calls, successful and failed logins, and attempted password changes. It also includes a text window that includes flagged events such as failed login attempts, attempts to perform unauthorized commands, and authorized command usage outside of business hours.

Categories and Subject Descriptors

K.6.5 [Security and Protection]: - log analysis, visualization, monitoring

General Terms

Measurement, Performance, Security

Keywords

Authorization events, administration, monitoring, visualization

1.INTRODUCTION

Linux log files are valuable resources for system administrators monitoring system performance as they provide a detailed record of actions taken on the system, which users executed the actions, and what the result of the actions was. By analyzing the output, system administrators ensure that security is being maintained, the system is not compromised, and that the system is operating as intended.

2.BACKGROUND

The authorization log, or auth log for short, is the file where Linux based systems store records of authorization events in the system. It is plain text which means it is human readable. It stores successful and unsuccessful login attempts and authentication events, such as sudo command calls. It can be found at /var/log/auth.log for Debian systems and /var/log/secure for Redhat and CentOS [1]. During our initial research, we found some similar projects that others have created [2, 3, 4]. While we drew some inspiration from these projects, we developed a unique tool for analyzing the authorization log.

3.USER GUIDE

The code for this project can be found on GitHub at https://github.com/PolyDungeon/LogGui?tab=readme-ov-file. It is designed to be run on Linux-based systems. The README file contains information on how to build the program. The easiest way to build is to run make all within the project directory. There are two ways to run the program. The first way is to double click

the executable file within the file explorer. The second way is to run ./LogGui in the terminal within the project directory.

4.MOTIVATIONS AND OBJECTIVES

The auth log is difficult to fully read and understand by hand. Even though it is in plain text format, it can contain thousands of lines of events. Many of these lines can occur within the same minute. It can be difficult to monitor the authorization events of a system just by looking at the auth log. The goal of our project was to make a visualization of the auth log to increase the likelihood that suspicious activity is noticed. We decided to make several visualizations and text windows to summarize the auth log. These visualizations include authorization events and login attempts. The text windows include sudo command calls, users, groups, and flagged events.

5.METHODOLOGY

In order to ease the process of reading log files, and to ensure that administrators have easy access to the important information, we identified various types of log file entries to monitor. The metrics we chose are: Authorization events such as signing in as a different user, attempting to use sudo, or changing a users password, login events and whether they were successful, as well as implementing a system that detects if flags events based on criteria that makes the action appear suspicious, such as the action taking place outside of normal business operating hours. We feel that these metrics offer system administrators an easier alternative to finding logs that may interest them as opposed to manually combing through the log file searching for suspicious activity. Additionally, we provide several visuals to allow the user to more easily interpret the information presented. As the purpose of this project is to simplify log analysis, we wanted a simple design to reflect this. We divided each main metric into separate tabs, as shown in the mockup below (Figure 1)

Figure 1. Mockup of Home Page

6. WINDOWS

6.1 Sudo Commands

Maintaining a robust audit trail of system activity is essential for security purposes. LogGui fulfills this role by specifically focusing on sudo command executions. To do this we parse through the /var/log/auth.log. It serves as a centralized log, and records each instance of a user employing the sudo command. This includes details like the user who executed the command, the specific command itself, and the timestamp of the action. By analyzing the data, administrators can gain valuable insights into system activity, identify potential security risks, and ensure authorized use of administrative privileges.

Figure 2. Sudo Commands Window.

6.2 Users

Effective user management is a cornerstone of system administration. DisplayUsernames acts as a user account directory, presenting a comprehensive list of all user accounts established on the system. Depending on the specific system configuration, it might even provide additional user information, such as full names, unique user identifiers (UIDs), or group memberships. This readily available user overview is invaluable for various administrative tasks, including user creation, permission management, and troubleshooting access control issues.

Figure 3. All Users Window.

6.3 Groups

Managing user groups is a fundamental aspect of system administration, as it allows for efficient assignment of permissions and access controls. The getUsersInGroup function plays a crucial role in this process. It serves as a tool to retrieve a list of all users that belong to a specific group on the system. By providing the group name as input, getUsersInGroup searches the /etc/group file and returns a list of usernames associated with the adm, root, or sudo groups. This is essential for verifying group membership, troubleshooting access issues, and ensuring proper security measures are in place for group-based permissions.

Figure 4. Root Users window.

6.4 Authorization Events

While interacting with a linux system, there are many occasions where the system will prompt the user to enter a password to proceed with the action the user is attempting. Regardless of the success of the action, the user, the action, and the result are stored in a log file with a timestamp detailing when the action took place. Using these logs, a system administrator can determine whether someone was attempting to use commands they are not meant to, however the process of reading the log file can be tedious to perform by hand. The authorization events window eases the burden placed on the administrator by filtering the log file and printing the entries that correspond to commands that might interest the administrator, such as sudo, su, and passwd, and produces a histogram showing when the authorization events are taking place , shown in Figure 5.

Figure 5. Auth Events Window

6.5 Flagged Events

The auth log consists of lines and lines of plain text events. This can be difficult for a system administrator to quickly analyze. Suspicious activity can easily go unnoticed. It is important for unusual behaviors to be identified as quickly as possible for the safety and security of the system. The flagged events window allows for system administrators to have a condensed view of specific behaviors in the system. At this time, the flags are generated for authentication failures, attempts at unauthorized commands, and executed privileged commands outside of business hours. The program scans through all of the lines of the auth log to generate these flags. It searches for key items within the line to identify the event. Items can include timestamps, words, or phrases. The types of flags and display settings can be found within the flag_window.cpp file. Figure 6 is an example of what the flag window looks like when scanning for the default events. The window may contain more or less lines depending on the number of flagged events in the auth log.

Figure 6. Flag window with notices.

6.6 SSH Login Attempts

In the next tab of the interface is the logins window. This window provides information about login attempts into the system via SSH. It displays the total number of logins, the number of successful logins, and the number of failed logins, as well as a

visual representation through graphical bars of the proportion of successful logins versus failed logins. At the bottom of the window, it also displays a list of all users on the system that have three or more failed login attempts. This window works by reading each line of the auth.log while looking for keywords that indicate a successful or a failed SSH login attempt. Once a successful login attempt is found, the necessary variables and data structures are updated. The purpose of this window is to help system administrators assess the integrity of their system and gather important usage data. By viewing successful logins, system administrators can see how many users have received access to the system, which is important knowledge to determine how many users your system must be able to handle. While the successful login metric is more useful for determining capacity and usage data, the failed login metric is probably more useful from a security standpoint. Repeated failed login attempts or a high proportion of failed logins could indicate that a bad actor is trying to gain access to your system. With the failed login count, a system administrator can monitor failed logins and look into any suspicious behavior when the count suddenly gets much higher. Additionally, the list of users who have failed to log in three or more times can notify the system administrator of what user someone is attempting to break into. The system admin could use this list of users to lock certain accounts so that they cannot SSH into the system. Or, in the case of an innocent user who cannot figure out their password, the system admin could reach out to that user to help them figure out or reset their password.

Figure 7. Login window.

7.CONCLUSION

Overall, we think that this tool could be extremely useful for system administrators. Reading and analyzing logs thoroughly can take hours on end and can be extremely tedious. Looking through the auth.log with only human eyes can lead to errors as well. Even a skilled and experienced system administrator can miss important security threats. Therefore, having an automated way of looking at the auth.log is an absolute necessity to maintain the security of a system. We believe that this tool effectively automates reading the auth.log for security threats and aggregates that data int

meaningful visualizations. This program can make analyzing logs exponentially faster, easier, and more reliable. However, this tool is not without its flaws. Due to time constraints, we had to determine the most important features that we wanted to include. This tool is not yet a completely comprehensive analysis of the authorization log, but we would like to see it accomplish this in the future through the additional features described in the next section.

8. FUTURE WORK

In the future, there are many improvements we would like to see completed. One of the first ones is to turn our program into a terminal command. This would simplify the usability of the program. Additionally, we would like to update the user interface to make it easier to read and understand. Next, we would like to add a graphical way to update what types of events are flagged. At the current time, the only way to update this is by modifying the source code. We would also like to add functionality that allows the user to add further specifications of what data they want to see, like adding input boxes for the user to enter the timeframe for which they want data. Lastly, we would like to make the system dynamic. Currently it pulls the auth log from when the program is executed. It will not reflect any changes made to the auth log afterwards.

REFERENCES

[1] Plesky, E. Linux Logs Explained.

https://www.plesk.com/blog/featured/linux-logs-explained/. Nov 2018.

[2] Peteng Dedet. 2019. Ubuntu-Authlog-Visualization. https://github.com/PetengDedet/Ubuntu-Authlog-Visualization. Mar 2024.

[3] Jörg Steinkamp. 2018. visualize-ssh-failed-logins. https://github.com/joergsteinkamp/visualize-ssh-failed-logins. Mar 2024.

[4] Linus Düsel. 2022. slogviz. https://github.com/mariusfrinken/slogviz. Mar 2024.

[5] Ocornut. 2014. OCORNUT/IMGUI: DEAR IMGUI: Bloat-free graphical user interface for C++ with minimal dependencies. (August 2014). Retrieved April 10, 2024 from https://github.com/ocornut/imgui

Page updated

Google Sites

Report abuse