Security Audit (DORA, NIS2) in SynetoOS 5

Written By Christian Castagna (Administrator)

Updated at March 5th, 2025

Table of Contents

Tracking logins Tracking remote access by Syneto

→ Applies to: SynetoOS 5.x

All commands in this article are intended to be executed via SynetoOS CLI.

Tracking logins

List all logins

less /var/log/secure

EXAMPLE

Mar  5 09:24:01 Syneto01 sudo[76529]:    root : PWD=/root ; USER=root ; COMMAND=/bin/hostname -I
Mar  5 09:24:01 Syneto01 sudo[76529]: pam_unix(sudo:session): session opened for user root by (uid=0)
Mar  5 09:24:01 Syneto01 sudo[76529]: pam_unix(sudo:session): session closed for user root
Mar  5 09:24:20 Syneto01 sudo[76797]:    root : PWD=/usr/share/syneto-diana ; USER=root ; COMMAND=/bin/nmcli connection
Mar  5 09:24:21 Syneto01 sudo[76797]: pam_unix(sudo:session): session opened for user root by (uid=0)

List all ssh logins (replace <user> with the correct information)

less /var/log/secure | grep "Accepted keyboard-interactive/pam for <user>"

EXAMPLE

less /var/log/secure | grep "Accepted keyboard-interactive/pam for admin"

EXAMPLE OUTPUT

Feb 20 12:41:13 synos3 sshd[2412980]: Accepted keyboard-interactive/pam for admin from 10.10.1.2 port 59262 ssh2
Feb 20 12:59:02 synos3 sshd[5855]: Accepted keyboard-interactive/pam for admin from 10.10.1.2 port 60703 ssh2
Feb 25 22:52:33 synos3 sshd[2742487]: Accepted keyboard-interactive/pam for admin from 10.10.1.2 port 63399 ssh2
Feb 26 11:53:34 synos3 sshd[174700]: Accepted keyboard-interactive/pam for admin from 10.10.1.2 port 57492 ssh2
Feb 27 16:38:41 synos3 sshd[3479012]: Accepted keyboard-interactive/pam for admin from 10.10.1.2 port 64198 ssh2

Tracking remote access by Syneto

Syneto Customer Support uses the Teleport service to connect to Syneto appliances when required.

List all logins (replace <relative-time> with the correct information)

journalctl -u teleport --since <relative-time> | grep AUDIT

EXAMPLE

journalctl -u teleport --since "1 hour ago" | grep AUDIT

journalctl -u teleport --since "30 minutes ago" | grep AUDIT

journalctl -u teleport --since "2 days ago" | grep AUDIT

journalctl -u teleport --since "1 week ago" | grep AUDIT

EXAMPLE OUTPUT

Feb 27 15:49:29 syneto-os-9320134f teleport[2156]: 2025-02-27T15:49:29+01:00 INFO [AUDIT]     session.start addr.remote:34.154.214.5:443 cluster_name:proxy.t.syneto.eu code:T2000I ei:0 event:session.start initial_command:[] login:root namespace:default proto:ssh server_hostname:sn-sy2000000143 server_id:b5906f4a-67f8-4c85-9b72-748c03a66848 syneto/company-name:ozr syneto/machine-name:syneto-os-9320134f session_recording:node sid:3d73ac64-a7c9-4dc8-9d85-1dafc95e848a size:80:25 time:2025-02-27T14:49:29.327Z uid:4bcc463b-7e9d-45b0-8e39-2d66addf4e91 user:smaadman events/emitter.go:263
Feb 27 15:50:11 syneto-os-9320134f teleport[2156]: 2025-02-27T15:50:11+01:00 INFO [AUDIT]     session.start addr.remote:34.154.214.5:443 cluster_name:proxy.t.syneto.eu code:T2000I ei:0 event:session.start initial_command:[] login:support namespace:default proto:ssh server_hostname:sn-sy2000000143 server_id:b5906f4a-67f8-4c85-9b72-748c03a66848 syneto/company-name:ozr syneto/machine-name:syneto-os-9320134f session_recording:node sid:9bc414f0-5a6d-4d7a-bcf4-bb1b944e9030 size:80:25 time:2025-02-27T14:50:11.851Z uid:57f385e0-bf35-4628-aff7-dcc2e4253cf4 user:smaadman events/emitter.go:263

Syneto Knowledge

Tracking logins

Tracking remote access by Syneto

Related Articles