E-001 - SSH Access Logging Evidence
Objective
Demonstrate that administrative access attempts are:
- logged
- observable
- usable for security monitoring
Context
This evidence supports validation of:
- SSH access control mechanisms
- detection of unauthorized or suspicious access attempts
Evidence Description
Collected data showing:
- successful SSH logins
- failed authentication attempts
- source IP addresses
- timestamps
Data Source
/var/log/auth.log(Debian/Ubuntu)journalctl -u ssh(systemd systems)
Collection Method
Example commands:
# Failed login attempts
grep "Failed password" /var/log/auth.log
# Successful logins
grep "Accepted password" /var/log/auth.log
# SSH logs via journalctl
journalctl -u ssh --since "24 hours ago"
Expected Outcome
- Failed login attempts are logged with source IP
- Successful logins are recorded
- Logs are readable and usable for analysis
Evidence Data (To Fill)
[Relevant log extracts will go here]
Observations
- Are logs complete?
- Are IP addresses visible?
- Any suspicious patterns?
Conclusion
[] Effective
[] Partially Effective
[] Ineffective
Notes
- Link with CrowdSec if active
- Will later integrate with centralized logging (Wazuh)