Logsentinel PAM Demo: Privileged Access Management and Event Logging
LogSentinel #PAM Protects From Log Tampering
There's a significant risk for a privileged Linux user to tamper with company data and try to avoid being detected by clearing logs.
Such log tampering may potentially threaten one’s business continuity.
That’s why we developed LogSentinel PAM, which can be implemented in just a few steps.
Here's how it works:
🔹 First, log in to your LogSentinel account and open your dashboard
🔹 Then log in to the #Database server
🔹You have the PAM Module installed on the database server level. This module does not allow one to login unless there is a outgoing connection and the certificate matches the one of a preconfigured list of servers (i.e. protects from connection limitation and MITM attacks)
🔹 It sends information to LogSentinel about who has accessed into the system and immediately notifies external sources (Etherium, email, qualified timestamp provider)
🔹 We check the /var/log/secure log where it's clear that the module had been activated, the checks were successful and sent to LogSentinel
🔹 We open the configuration to see where the module sends the information and which certificates it checks
🔹 We can see that we receive an email with the sent hash, which is corresponding to the login one
🔹 Then we open a #hash generator and we generate it on “user action” (in this case: bozho:SYSTEM_LOGIN)
You need the data to be hashed because the information could be sent to third parties (e.g. Etherium) and it shouldn’t be obvious what it is about.
🔹Open the received email and compare the hash with the one received in the generator.
If they match, this is the exact user who has made the action.
Same hash could be sent to Etherium where it will be checked in a public chain explorer
The hashes in this demo have two different symbols which is a result of the Base64 encoding, not the hashes themselves.
🔹Let’s open LogSentinel and make sure that the action was received and saved
In case that the admin who has access to the servers (where LogSentinel is installed) , tries to tamper with data, the automated check will identify that some data has been manipulated; using the login information logs sent to external systems, verifying its reliability, you can identify who has accessed the systems in the defined period
Read more about PAM protection: https://logsentinel.com/on-premise-audit-trail-pam/