Advanced Practical – Access Control, Logging & Security Monitoring

Objectives: Advanced Practical – Access Control, Logging & Security Monitoring

Advanced Practical – Access Control, Logging & Security Monitoring

ADVANCED PRACTICAL LAB

Access Control Techniques, User Security & Real Log Analysis

1. EXTENDED LAB OBJECTIVES

After completing this extended version, students will also be able to:

  • Understand Linux account structures and login shells
  • Manage password policies
  • Use chmod, chown, chgrp in real scenarios
  • Perform RBAC + DAC in combined security situations
  • Interpret authentication logs line by line
  • Trace user activity using advanced tools (last, lastb, faillog)
  • Configure auditing for sensitive files
  • Write a professional security incident report

2. ADVANCED LAB REQUIREMENTS

  • Linux VM (Ubuntu 20+, Kali, Debian recommended)
  • Root or sudo permission
  • Internet for installing extra audit tools
  • Ability to switch between users
Important: All commands in this lab must be tested either in your local VM or any online terminal listed at the end of this document.

3. EXTENDED LAB SCENARIO

You are the Senior System Administrator at a college ICT department.

Your role now includes:

  • Creating users with proper security policies
  • Protecting sensitive folders for academic staff
  • Monitoring suspicious activity from students
  • Blocking unauthorized login attempts
  • Writing an official incident report for the head of ICT

4. ADVANCED LAB TASKS

TASK 1: ADVANCED USER ACCOUNT MANAGEMENT

Step 1: Create Users with password expiration policy

sudo adduser student1
sudo adduser student2
sudo adduser adminuser

# Force student passwords to expire every 30 days
sudo chage -M 30 student1
sudo chage -M 30 student2

Check password expiry details

sudo chage -l student1
Real Life Example: At a college, student accounts must expire periodically to avoid abandoned accounts being misused.

Step 2: Create roles as groups

sudo groupadd students
sudo groupadd admins
sudo groupadd ictteam     # Extra group for extended control

Step 3: Assign users to their security roles

sudo usermod -aG students student1
sudo usermod -aG students student2
sudo usermod -aG admins adminuser
sudo usermod -aG ictteam adminuser

Step 4: Verify user group membership

groups student1
id adminuser
RBAC Concept: Roles represent job functions, NOT individuals. A student role = limited access Admin role = full access ICT role = extended administrative functions

TASK 2: FILE PERMISSION SECURITY (DAC)

Step 1: Create secure academic data folder

sudo mkdir /securedata
sudo mkdir /securedata/exams
sudo mkdir /securedata/results

Step 2: Give full control to admins only

sudo chown adminuser:admins /securedata
sudo chmod 770 /securedata

Step 3: Give ICT team read-only access to results

sudo chown adminuser:ictteam /securedata/results
sudo chmod 750 /securedata/results
Real Life Example:
A lecturer (admins group) can upload exam results, but ICT support (ictteam group) can only view files, not edit them.

Step 4: Test the permissions

Login as a student: 
su - student1
cd /securedata
Expected: 
Permission denied

Step 5: Test ICT read-only access

su - adminuser
touch /securedata/results/grades.txt
exit

su - ictuser   # If created
cat /securedata/results/grades.txt
echo "add something" >> /securedata/results/grades.txt
Expected on write attempt: 
Permission denied
This confirms DAC is working correctly.

TASK 3: FORCE UNAUTHORIZED ACCESS ATTEMPTS

Log in as student and attempt access

su - student1
cd /securedata
cat /securedata/results/grades.txt
cd /securedata/exams
Expected: 
Permission denied

Try creating a file illegally

touch /securedata/hack.txt
Expected: 
touch: cannot touch 'hack.txt': Permission denied
NOTE: Every “permission denied” will be recorded in Linux logs.

TASK 4: CHECK AUTHENTICATION & SYSTEM LOGS

Step 1: Switch to admin

su - adminuser

4.1 — Check authentication logs (MOST IMPORTANT)

sudo grep "student1" /var/log/auth.log
You will see entries such as: 
unix_chkpwd[xxxx]: password check failed for user (student1)
sudo: pam_unix(sudo:auth): authentication failure

4.2 — View last failed logins

sudo lastb

4.3 — Check system logs for file access denial

sudo journalctl -xe | grep denied

4.4 — Check user login history

last student1

4.5 — Check sudo attempts

sudo cat /var/log/auth.log | grep sudo
Real Life Scenario:
If a student is trying to access exam files repeatedly, it will show multiple “permission denied” and “failed login attempts”.

TASK 5: WRITE SECURITY INCIDENT REPORT

The report must include:

  1. User involved (e.g., student1)
  2. Type of violation (Unauthorized file access attempt)
  3. Time of incident
  4. Exact log entries
  5. Security controls that prevented access (RBAC + DAC)
  6. Recommendations (Password policy, monitoring, audit logs)
Tip: Include screenshots from auth.log, syslog, journalctl, and permission-denied messages.

6. BONUS ADVANCED TASKS

Enable audit logging

sudo apt install auditd -y
sudo auditctl -w /securedata -p rwxa -k securedata_log

View audit logs

sudo ausearch -k securedata_log
sudo aureport -f

Find brute force attempts

sudo grep "Failed password" /var/log/auth.log

Create firewall rule to block a suspicious IP

sudo ufw deny from 192.168.100.10

Disable a suspicious user temporarily

sudo usermod -L student1

Delete user logs (for security review)

lastlog -u student1

7. ONLINE LINUX PRACTICE PLATFORMS

Use any of these to test commands LIVE:

END OF ADVANCED PRACTICAL LAB

Reference Book: N/A

Author name: SIR H.A.Mwala Work email: biasharaboraofficials@gmail.com
#MWALA_LEARN Powered by MwalaJS #https://mwalajs.biasharabora.com
#https://educenter.biasharabora.com

:: 2.2::