AWS re/Start Lab · Security

Managing Log Files

Gain visibility into system authentication events and historical login data by parsing critical Linux security logs.

Lab Summary

Connected via PuTTY (as described in Lab 225). Navigated the filesystem to read mock authentication incidents located in a dummy secure log file utilizing the less pager. Executed lastlog to verify all user accounts and their most recent recorded session dates.

Event Auditing

Examined log outputs containing IP addresses, ports, and action states for failed authentication attempts.

User Tracking

Generated reporting demonstrating the exact time and origin of the most recent interactive logins for all accounts.

Step-by-Step Walkthrough

Detailed record of each task performed during the lab.

01

SSH Connection

  • Connected to the EC2 instance via PuTTY following the process described in Lab 225.
02

Review Secure Log Files

  • Navigated to the companyA home folder using cd companyA.
  • Used a terminal pager to inspect a sample authentication log file: sudo less /tmp/log/secure.
  • Observed the list of failures which revealed IP addresses originating the requests, failed credentials, and port information.
  • Pressed q to exit the less interface.
  • Ran the historical login tracking command: sudo lastlog.
  • Analyzed the output array documenting every provisioned user, including root, bin, and daemon, validating that most system accounts display "**Never logged in**" indicating proper security isolation.
Terminal showing the contents of the secure log using less
Terminal: Accessing raw authentication records including failed connection attempts
Terminal displaying the output of lastlog listing user accounts and login times
Terminal: The lastlog command tracking the last interactive session per user
While this lab utilized a mock repository at /tmp/log/secure for safety, actual enterprise environments store their primary SSH/authentication journals inside /var/log/secure (RHEL models) or /var/log/auth.log (Debian models).

Command Reference

Commands utilized for log inspection.

cmd

less

A terminal pager program that displays text files one screen at a time.

  • q : Key binding utilized to quit the active paging session
cmd

lastlog

Formats and prints the contents of the last login database (/var/log/lastlog file).

Key Learnings

What Was Learned

Parsing lengthy log streams interactively using the less pager command.
Identifying brute force attempts and unauthorized access vectors by reading IP/port logs inside secure.
Confirming non-interactive service accounts (like daemon) are functioning properly by verifying they remain in a "never logged in" state via lastlog.

Technical Conclusion

Log monitoring acts as the bedrock of threat detection. By continuously auditing secure logs, intrinsically vulnerable applications surface rapidly allowing firewall rules (like blocking hostile IP addresses) to be implemented.

Coupling real-time behavioral logs with static tracking mechanisms like lastlog ensures both active attacks and dormant compromised accounts are identified.