Security Audit (DORA, NIS2) in SynetoOS 4

Written By Christian Castagna (Administrator)

Updated at March 5th, 2025

Table of Contents

Tracking logins Tracking remote access by Syneto

→ Applies to: SynetoOS 4.x

All commands in this article are intended to be executed via SynetoOS CLI.

Tracking logins

List all logins

less /var/log/secure.log

IMPORTANT
You can check for older files (e.g. "secure.log.0", "secure.log.N") and access them.

EXAMPLE

Mar  3 03:12:00 Syn02 sudo:    admin : PWD=/var/storage/admin ; USER=root ; COMMAND=/usr/bin/svcs -H -o FMRI *auto-snapshot:*-*
Mar  3 03:12:00 Syn02 sudo:    admin : PWD=/var/storage/admin ; USER=root ; COMMAND=/usr/sbin/svccfg -s svc:/system/filesystem/zfs/auto-snapshot:daily-Hybrid--datastores--data listprop zfs/current-snapshot-progress
Mar  3 03:12:00 Syn02 sudo:    admin : PWD=/var/storage/admin ; USER=root ; COMMAND=/usr/sbin/svccfg -s svc:/system/filesystem/zfs/auto-snapshot:daily-Hybrid--datastores--data listprop zfs/current-snapshot-state
Mar  3 03:12:00 Syn02 sudo:    admin : PWD=/var/storage/admin ; USER=root ; COMMAND=/usr/sbin/svccfg -s svc:/system/filesystem/zfs/auto-snapshot:weekly-Hybrid--datastores--

List all ssh logins (replace <user> with the correct information)

less /var/log/secure.log | grep "Accepted keyboard-interactive/pam for <user>"

IMPORTANT
You can check for older files (e.g. "secure.log.0", "secure.log.N") and access them.

EXAMPLE

less /var/log/secure.log | grep "Accepted keyboard-interactive/pam for admin"

Feb 20 12:41:13 synos3 sshd[2412980]: Accepted keyboard-interactive/pam for admin from 10.10.1.2 port 59262 ssh2
Feb 20 12:59:02 synos3 sshd[5855]: Accepted keyboard-interactive/pam for admin from 10.10.1.2 port 60703 ssh2
Feb 25 22:52:33 synos3 sshd[2742487]: Accepted keyboard-interactive/pam for admin from 10.10.1.2 port 63399 ssh2
Feb 26 11:53:34 synos3 sshd[174700]: Accepted keyboard-interactive/pam for admin from 10.10.1.2 port 57492 ssh2
Feb 27 16:38:41 synos3 sshd[3479012]: Accepted keyboard-interactive/pam for admin from 10.10.1.2 port 64198 ssh2

Tracking remote access by Syneto

Syneto Customer Support uses the Teleport service to connect to Syneto appliances when required.

List all logins (replace <relative-time> with the correct information)

grep "<relative-time>" /var/svc/log/application-teleport:default.log

EXAMPLE

grep "2025-03-04" /var/svc/log/application-teleport:default.log

grep "2025-03-04T14:" /var/svc/log/application-teleport:default.log

2025-03-04T14:05:40+01:00 [SESSION:N] INFO New party ServerContext(86.120.130.119:60360->192.168.200.17:42926, user=root, id=41) party(id=b7cd2f93-96e2-498e-b2cc-f27a170a0c6b) joined session session_id:d01bfbdb-f348-4e94-8714-19c9e46b1136 srv/sess.go:1517
2025-03-04T15:17:36+01:00 [SESSION:N] INFO Closing party b7cd2f93-96e2-498e-b2cc-f27a170a0c6b srv/sess.go:1674
2025-03-04T15:17:36+01:00 [SESSION:N] INFO Removing party ServerContext(86.120.130.119:60360->192.168.200.17:42926, user=root, id=41) party(id=b7cd2f93-96e2-498e-b2cc-f27a170a0c6b) from session session_id:d01bfbdb-f348-4e94-8714-19c9e46b1136 srv/sess.go:1322
2025-03-04T15:17:36+01:00 [AUDIT]     INFO session.data addr.remote:86.120.130.119:60360 code:T2006I ei:2.147483646e+09 event:session.data login:root namespace:default rx:30718 server_id:ce24b8f5-cdf0-4297-bd54-57d3990a4ec7 sid:d01bfbdb-f348-4e94-8714-19c9e46b1136 time:2025-03-04T14:17:36.178Z tx:11716 uid:d541bebd-4f04-4afa-b512-21a54f08c8dd user:test events/emitter.go:265

Syneto Knowledge

Tracking logins

Tracking remote access by Syneto

Related Articles