auth.log / secure
Location
/var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS)Description
Authentication log recording all PAM-based authentication events including SSH logins, sudo usage, su escalation, user creation (useradd), password changes, and public key acceptance.
Forensic Value
This is the primary artifact for detecting unauthorized access on Linux. Accepted publickey entries confirm SSH key-based access and log the key fingerprint, identifying which key was used. Repeated "Failed password" entries expose brute-force attacks with source IPs. Sudo command logs record the exact commands run with elevated privileges, creating an execution timeline for privileged actions even when .bash_history is cleared.
Tools Required
Collection Commands
cp
cp /var/log/auth.log /forensics/output/auth.log
journalctl
journalctl -u sshd --since "2024-01-01" --output json > /forensics/output/sshd_journal.json
grep
grep -E "Failed|Accepted|session opened|sudo" /var/log/auth.log > /forensics/output/auth_filtered.log
tar
tar czf /forensics/output/auth_logs.tar.gz /var/log/auth.log*
Collection Constraints
- •Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
- •Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.
MITRE ATT&CK Techniques
References
Used in Procedures
Related Blockers
Critical Logs Rotated/Overwritten Before Collection
Key log files (Security EVTX, web server access logs, syslog) have been rotated out or overwritten due to aggressive retention settings, high volume, or attacker manipulation. The evidence window for those sources is now closed.
SIEM Not Ingesting Relevant Log Sources
The SIEM does not ingest logs from the affected systems, applications, or network segments. Correlation, alerting, and historical search capabilities are unavailable for the evidence sources most relevant to this incident.
Legal Requesting Preservation Conflicts with Containment
Legal counsel has issued a preservation hold requiring that certain systems, mailboxes, or data stores remain untouched. This directly conflicts with containment actions like reimaging hosts, resetting accounts, or blocking network segments.
Attacker Used Timestomping, Log Clearing, or Other Anti-Forensics
Evidence of deliberate anti-forensic activity has been found: timestamps modified, event logs cleared, prefetch/shimcache wiped, or tools designed to defeat forensic analysis were executed. Standard timeline analysis may be unreliable.
Cloud or Container Logging Coverage Missing
The investigation depends on cloud-control-plane or container telemetry that was never enabled, was retained too briefly, or was routed to an unavailable destination. This creates blind spots around identity misuse, cluster administration, and workload behavior.