Linux AAA

-

Linux AAA

Authentication

What it means:
Authentication verifies who the user is.

How it works in Linux:

  • When you log in, Linux checks your credentials (usually username + password) against /etc/passwd and /etc/shadow.

  • /etc/passwd stores user information (username, UID, GID, shell, home directory).

  • /etc/shadow stores hashed passwords and password expiration info, readable only by root.

Common authentication methods:

  • Local authentication: Using /etc/passwd and /etc/shadow.

  • Remote authentication: Using services like:

    • LDAP (Lightweight Directory Access Protocol) – centralized user management.

    • Kerberos – provides secure, ticket-based authentication.

    • RADIUS – used in network access (VPNs, Wi-Fi, etc.).

    • PAM (Pluggable Authentication Modules) – modular framework used by Linux for integrating different authentication methods.

Example PAM file location:
/etc/pam.d/
Each service (like SSH, sudo, login) has its own PAM configuration file.

Authorization

What it means:
Authorization determines what an authenticated user is allowed to do.

How it works in Linux:

  • Linux controls access to files and system resources through permissions, ownership, and access control mechanisms.

Core methods:

  • File Permissions (rwx):
    Each file and directory has:

    • Owner permissions

    • Group permissions

    • Others permissions

    Example:
    -rw-r--r-- 1 ozz961 users 1234 Oct 29 file.txt

  • Sudo / Polkit (PolicyKit):

    • sudo lets specific users execute commands as root.

    • Controlled by /etc/sudoers.

    • Example rule:

      ozz961 ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart apache2

    • Polkit provides fine-grained access control for desktop and system-wide services (D-Bus based).

  • SELinux / AppArmor:

    • SELinux (Security-Enhanced Linux) enforces mandatory access control (MAC).

    • Defines what processes can do, even if they run as root.

    • AppArmor works similarly, using profile-based restrictions.


Accounting

What it means:
Accounting tracks what users do — actions, commands, system access, and resource usage.

How it works in Linux:

  • Shell History: Basic command tracking (~/.bash_history).

  • Process accounting: Tracks system resource usage (CPU time, memory, etc.) per process or user.

    • Tools: acct, sa, lastcomm

  • Auditd (Linux Auditing System):

    • Logs all system events and security-relevant actions.

    • Configuration: /etc/audit/auditd.conf

    • Example rule:

      auditctl -w /etc/passwd -p wa -k passwd_changes

      → Watches for writes/attribute changes to /etc/passwd and tags logs with key passwd_changes.

  • Syslog / journald: System-wide logging of authentication attempts, command execution, service logs, etc.

    • Files like /var/log/auth.log or /var/log/secure.


Demo


In this demo i am going to illustrate how in practice a Linux system would apply AAA on the users. 

In the picture above, it's showing Authorization access control, as we weren't allowed to access the shadow file without sudo permissions. 


We can also be denied access to a directory, where we can also see each directory permissions is associated to a user. 


When a directory permissions is being altered by a malicious actor, the sort of permissions that is being is the least of their concern. However, the implemented access control has stopped us from changing the permissions of other users, even if that meant to be higher than our current user. 
All processes regarding authorization and authentication are being logged in details, and this is where we end our demo with accounting. The /var/log directory is the standard logging directory of the linux system. 


The AAA logs can be seen in /var/log/auth.log. It provides us with time, commands, permission logs, directory, type of user...etc on each execution being processed on the host system.

Comments

Post a Comment

Popular posts from this blog

Common Network Commands: IP R

-
IP R Command Overview The `ip r` command is part of the `iproute2` package in Linux systems. It is used for displaying and manipulating the routing table, which determines how network packets are directed to their destinations. This command is vital for network configuration, management, and troubleshooting. Origin and Development The `iproute2` package was created to replace the older `net-tools` package, which included commands like `ifconfig` and `route`. The `ip` command provides a more unified interface for network management, supporting advanced features and modern networking protocols. It offers better capabilities for managing complex networking scenarios, making it a crucial tool for system and network administrators. Basic Functionality The `ip r` command serves several functions: - Displays current routing table entries. - Shows destination networks, gateways, and associated interfaces. - Allows for the addition, deletion, and modification of routes. Key Command Syntax 1. Di...
Read more

Junior Security Analyst Intro

-
Why SOC Analyst L1 is Considered a Triage Specialist. A Level 1 Security Operations Center (SOC) Analyst is often regarded as a triage specialist because they are the first responders to cybersecurity alerts. Much like how a triage nurse assesses patients' conditions in a hospital, a Level 1 SOC Analyst evaluates and categorizes alerts generated by security tools to determine their severity and prioritize response efforts. Their primary focus is to: Filter Noise: Modern networks generate massive amounts of data, with many false positives. SOC L1 analysts must sift through this data to identify real threats. Categorize Alerts: Assign severity levels to incidents, such as low, medium, or high priority. Initial Response: Perform basic investigations (e.g., checking IP addresses, scanning logs) and decide whether to escalate incidents to Level 2 or 3 analysts. This role is vital because it ensures that high-priority threats are addressed quickly and resources are allocated ...
Read more

Example of A Day in the Life of a Junior (Associate) Security Analyst

-
The day begins early for the Junior Security Analyst, stepping into the office or logging into their remote workstation. The quiet hum of servers and the glow of multiple screens set the stage for another day at the heart of the cybersecurity battlefield. Their first task is to review the handover notes from the previous shift or the daily briefing. This update includes summaries of unresolved incidents, ongoing investigations, and any notable changes in the organization’s threat landscape. Equipped with this crucial information, the analyst prepares to navigate a world where even the smallest anomaly could signify a major threat. Logging into the array of tools—a Security Information and Event Management (SIEM) platform, endpoint detection systems, firewalls, and intrusion detection/prevention systems (IDS/IPS)—the analyst is immediately immersed in the flow of alerts. Every beep, flash, and log entry represents a potential threat. The first challenge is triage. Like a digital detecti...
Read more