Lab Manual | Local Vulnerability Scanning & System Event Logs

Introduction

Lab Objectives

By the end of this lab, you will be able to:

01

Understand what local vulnerability scanning means and why it differs from network scanning.

02

Use Lynis to perform a complete local security audit and interpret the hardening score.

03

Detect rootkits and hidden backdoors using Chkrootkit / Rkhunter on Linux.

04

Identify outdated packages and weak user account configurations on all three OS.

05

Locate, read, and filter system event log files on Kali Linux, macOS, and Windows.

06

Detect failed logins, brute-force patterns, and suspicious events from logs.

Theory

Key Concepts to Understand First

Before running any tool, read these concepts — they form the foundation of everything in this lab.

🔍

Local vs. Network Scanning

Local scanning audits the machine itself — its settings, users, files, and software. Network scanning targets remote hosts. This lab focuses purely on local scanning.

🛡

Attack Surface

Every unnecessary service, weak password, unpatched package, or open port on your own machine increases its attack surface — the ways an attacker can compromise it.

🦠

Rootkits

A rootkit hides malware on a system, often by modifying kernel modules or replacing system binaries. Scanners like Chkrootkit compare current state against known-good signatures.

📋

CVE & Patch Management

CVE (Common Vulnerability Exposures) are publicly disclosed vulnerabilities. Unpatched software = known CVEs = exploitable system. Patch management is the single most impactful security control.

📁

Event Logs

The OS records security-relevant events — logins, errors, policy changes — in structured log files. These are your primary forensic evidence and real-time threat detection source.

⚡

Hardening

System hardening is the process of reducing vulnerabilities by disabling unused services, enforcing strong passwords, encrypting disks, and restricting permissions.

Part A

Local Vulnerability Scanning

We use tools that examine your local machine — its installed packages, user accounts, file permissions, kernel settings, and running services — without touching the network.

🔎 Tool: Lynis — System Hardening Auditor

Lynis is an open-source security auditing tool for Unix/Linux and macOS systems. It performs over 200 checks covering authentication, file permissions, kernel parameters, installed software, firewall configuration, and more. At the end it produces a Hardening Index (0–100) — a score of the system's overall security posture. A score below 65 is considered weak.

Platform: Kali Linux ✓ macOS ✓ Windows ✗ (Linux/Mac only)

🐉 Kali Linux

🍎 macOS

🪟 Windows

STEP 01 Install Lynis apt

Lynis is pre-installed on Kali Linux. Verify and update it before running any audit.

KALI TERMINAL

# Verify Lynis is installed └─$ lynis --version # Install / update if needed └─$ sudo apt update && sudo apt install -y lynis

STEP 02 Run a Full System Audit lynis

Run Lynis as root so it can access all system files. The --quick flag disables interactive pause prompts — useful for lab environments.

KALI TERMINAL

# Full audit — recommended └─$ sudo lynis audit system # Quick audit (no prompts, for lab use) └─$ sudo lynis audit system --quick # Save the full log for your report └─$ cat /var/log/lynis.log > ~/lynis_report.txt

▸ Expected Output (excerpt)

  Hardening index : 67 [#############       ]
  Tests performed : 263
  
  [WARNING] Found no firewall (UFW/iptables) active
  [SUGGESTION] Enable auditd for process accounting
  [WARNING] Root login via SSH is permitted

⚠️ Hardening Index below 65 = significant risk. Every WARNING in the output is an exploitable weakness. Every SUGGESTION improves security. Record them all.

STEP 03 Read the Lynis Report grep · cat

Lynis saves a full structured log. Learn to extract the key parts instead of reading everything.

KALI TERMINAL

# See only warnings from the report └─$ sudo grep "WARNING" /var/log/lynis.log # See hardening index line └─$ sudo grep "Hardening index" /var/log/lynis.log # See all suggestions └─$ sudo grep "SUGGESTION" /var/log/lynis-report.dat # Count total warnings └─$ sudo grep -c "WARNING" /var/log/lynis.log

◈ Lab Task — Lynis on Kali

Run sudo lynis audit system --quick and record your Hardening Index score.
List every WARNING produced. Pick 2 warnings and write how you would fix each.
Count the total number of tests performed and suggestions made.
Save the log: cat /var/log/lynis.log > ~/lynis_report.txt and attach it to your report.

STEP 01Install via Homebrewbrew

macOS doesn't ship with Lynis — install it via Homebrew.

MACOS TERMINAL

# Install Homebrew (if not present) % /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" # Install Lynis % brew install lynis % lynis --version

STEP 02Run Audit + macOS-Specific Checkslynis · built-ins

On macOS, Lynis also checks FileVault encryption, Gatekeeper, and SIP. Run these native checks alongside Lynis for a complete picture.

MACOS TERMINAL

# Full audit % sudo lynis audit system --quick # FileVault — disk encryption status % fdesetup status FileVault is On. ← GOOD — disk is encrypted # SIP — System Integrity Protection % csrutil status System Integrity Protection status: enabled. # Gatekeeper — app signing enforcement % spctl --status assessments enabled # Firewall status % sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate Firewall is enabled. (State = 1)

💡 FileVault OFF = your disk data is readable without your password. SIP OFF = system files can be modified by malware. Both should always be ON.

◈ Lab Task — Lynis on macOS

Run Lynis audit and note the Hardening Index.
Check FileVault, SIP, Gatekeeper, and Firewall — document each as enabled/disabled.
List any WARNING lines in the Lynis output.

STEP 01Windows Security Baseline CheckPowerShell · Defender

Lynis does not run on Windows. Instead, use Microsoft Baseline Security Analyzer (MBSA) concepts via PowerShell, plus Windows Defender's built-in assessment. These check the same categories Lynis covers on Linux.

POWERSHELL (Admin)

# Check Windows Defender / Antivirus status PS> Get-MpComputerStatus | Select-Object AntivirusEnabled, RealTimeProtectionEnabled, AntispywareEnabled, AntivirusSignatureAge AntivirusEnabled : True RealTimeProtectionEnabled: True AntivirusSignatureAge : 14 ← days since last update! # Check all firewall profiles PS> Get-NetFirewallProfile | Select-Object Name, Enabled # Check BitLocker disk encryption status PS> Get-BitLockerVolume | Select-Object MountPoint, VolumeStatus, ProtectionStatus MountPoint VolumeStatus ProtectionStatus ---------- ------------ ---------------- C: FullyEncrypted On # Check UAC (User Account Control) status PS> Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLUA

◈ Lab Task — Windows Security Baseline

Check Defender status — is real-time protection on? How old are the signatures?
Verify all three firewall profiles (Domain, Private, Public) are enabled.
Check BitLocker — is the C: drive encrypted? If not, that is a major risk.
Check UAC — EnableLUA should be 1. Document the value you find.

🦠 Tool: Chkrootkit & Rkhunter — Rootkit Detectors

Chkrootkit scans for known rootkits by checking system binaries, kernel modules, and running processes against known malicious patterns. Rkhunter (Rootkit Hunter) does similar checks plus verifies MD5 hashes of system files to detect tampering.

These tools are only meaningful on Kali / Linux. Windows equivalent is running Windows Defender offline scan or Malwarebytes.

🐉 Kali Linux

🍎 macOS

🪟 Windows

STEP 01Install & Run Chkrootkitchkrootkit

Chkrootkit is fast and simple. It checks for ~70 known rootkits and suspicious system modifications.

KALI TERMINAL

# Install └─$ sudo apt install -y chkrootkit # Run scan └─$ sudo chkrootkit # Show only infected / suspicious lines └─$ sudo chkrootkit | grep -i "INFECTED\|suspicious\|WARNING" # Save to file └─$ sudo chkrootkit > ~/chkrootkit_report.txt

▸ Expected Output

Checking `ifconfig'...      not infected
Checking `ps'...           not infected
Checking `netstat'...      not infected
Checking `syslogd'...      not infected
Checking `bindshell'...    INFECTED (PORTS: 465)   ← Alert!

🚨 If you see INFECTED: Do not panic — some results are false positives. Cross-verify with Rkhunter before concluding the system is compromised.

STEP 02Install & Run Rkhunterrkhunter

Rkhunter takes a baseline of your system files first, then compares future states against that baseline. Run --propupd to build the initial database.

KALI TERMINAL

# Install └─$ sudo apt install -y rkhunter # Update signature database └─$ sudo rkhunter --update # Build file property baseline (do this ONCE on a clean system) └─$ sudo rkhunter --propupd # Run full system check └─$ sudo rkhunter --check # Non-interactive (for scripts / labs) └─$ sudo rkhunter --check --skip-keypress --report-warnings-only # View the log └─$ sudo cat /var/log/rkhunter.log | grep -E "Warning|Found"

◈ Lab Task — Rootkit Detection

Run sudo chkrootkit | grep -i "INFECTED" — document any results.
Run Rkhunter with --skip-keypress --report-warnings-only — list all warnings.
Research one rootkit name shown in the Chkrootkit checks (e.g., "lkm") and write 2 lines about what it does.

STEP 01macOS Malware CheckXProtect · MRT

macOS has built-in malware tools: XProtect (signature-based scanner) and MRT (Malware Removal Tool). You can also use osquery for deeper inspection.

MACOS TERMINAL

# Check XProtect version (built-in AV) % system_profiler SPInstallHistoryDataType | grep -A5 "XProtect" # View running processes — spot anything suspicious % ps aux | sort -k3 -rn | head -20 # List all login items (auto-start programs — common malware persistence) % osascript -e 'tell application "System Events" to get the name of every login item' # Check launch agents (another persistence mechanism) % ls ~/Library/LaunchAgents/ % ls /Library/LaunchDaemons/

💡 Malware on macOS often hides in ~/Library/LaunchAgents/ as a .plist file that restarts it on every login. Any unfamiliar entry here is suspicious.

STEP 01Windows Defender Offline Scan + AutorunsDefender · Autoruns

Use Windows Defender for malware scanning, and Autoruns (Sysinternals) to detect persistence mechanisms — the Windows equivalent of Rkhunter's startup checks.

POWERSHELL (Admin)

# Start a Windows Defender quick scan PS> Start-MpScan -ScanType QuickScan # Full scan (takes longer) PS> Start-MpScan -ScanType FullScan # Check for threats detected PS> Get-MpThreatDetection | Select-Object ThreatName, ActionSuccess, DetectionTime # Check all services (malware often installs as a service) PS> Get-Service | Where-Object {$_.StartType -eq 'Automatic'} | Select-Object Name, DisplayName, Status # Check startup programs (persistence check) PS> Get-CimInstance Win32_StartupCommand | Select-Object Name, Command, Location

📦 Outdated Package / Software Audit

Unpatched software is the #1 source of exploitable vulnerabilities. Each outdated package is a potential CVE waiting to be used. Every major OS provides built-in tools to list available updates. Never ignore security updates.

🐉 Kali Linux

🍎 macOS

🪟 Windows

KALI TERMINAL

# Update package index └─$ sudo apt update # List all packages with available upgrades └─$ apt list --upgradeable 2>/dev/null # Count how many packages need updating └─$ apt list --upgradeable 2>/dev/null | wc -l # Check a specific package version └─$ dpkg -l openssh-server # Install security updates only (using unattended-upgrades) └─$ sudo unattended-upgrade --dry-run -d # Search for known CVEs in installed packages └─$ sudo apt install debsecan && debsecan

MACOS TERMINAL

# List available macOS system updates % softwareupdate --list # List outdated Homebrew packages % brew outdated # Show current macOS version % sw_vers # Check all installed apps and versions % system_profiler SPApplicationsDataType | grep -E "Version|Location" | head -40

POWERSHELL (Admin)

# Show last 10 installed Windows Updates PS> Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10 # Search for pending updates using Windows Update API PS> $s = New-Object -ComObject Microsoft.Update.Session $q = $s.CreateUpdateSearcher().Search("IsInstalled=0 and Type='Software'") $q.Updates | Select-Object Title # Check Windows version and build PS> [System.Environment]::OSVersion.Version # List all installed software PS> Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion | Sort-Object DisplayName

👤 User Account & Policy Audit

Unauthorized or misconfigured user accounts are a critical vulnerability. Attackers who gain a foothold on a system immediately look for accounts with weak passwords, excessive privileges, or no password at all. Review all accounts regularly.

🐉 Kali Linux

🍎 macOS

🪟 Windows

KALI TERMINAL

# List all user accounts on the system └─$ cat /etc/passwd | awk -F: '$3 >= 1000 {print $1, $3, $6, $7}' kali 1000 /home/kali /bin/bash # Find accounts with empty passwords (DANGEROUS) └─$ sudo awk -F: '($2 == "") {print $1 " has NO password!"}' /etc/shadow # Find accounts with UID 0 (root-level) other than root └─$ awk -F: '($3 == 0) {print $1}' /etc/passwd # Check password policy └─$ sudo chage -l kali # List users with sudo access └─$ grep -E "sudo|admin" /etc/group

🚨 Red Flag: Any account other than root with UID 0 is a backdoor. Any account with an empty password is an open door. Investigate immediately.

MACOS TERMINAL

# List all local user accounts % dscl . -list /Users | grep -v "^_" # List admin users % dscl . -read /Groups/admin GroupMembership # Check if guest account is enabled (security risk) % defaults read /Library/Preferences/com.apple.loginwindow GuestEnabled 1 ← Guest is ON — this is a risk! 0 ← Guest is OFF — good

POWERSHELL (Admin)

# List all local user accounts with status PS> Get-LocalUser | Select-Object Name, Enabled, PasswordRequired, LastLogon # Find accounts where password is NOT required (high risk) PS> Get-LocalUser | Where-Object {$_.PasswordRequired -eq $false} | Select-Object Name # List members of the Administrators group PS> Get-LocalGroupMember -Group "Administrators" # Check if Guest account is enabled PS> Get-LocalUser -Name "Guest" | Select-Object Name, Enabled

Part B

System Event Logs

Logs are the operating system's diary. They record every significant event — logins, errors, service changes, and policy modifications. Learning to read logs is a core skill of any security analyst.

📁 Where Are Logs Stored? (All Three OS)

Each OS stores logs differently. Understanding the location and format is the first step before any analysis.

LOG TYPE	🐉 KALI LINUX	🍎 MACOS	🪟 WINDOWS
Authentication / Login	`/var/log/auth.log`	`log show --predicate 'process=="sshd"'`	Event Viewer → Security (ID 4624, 4625)
General System Messages	`/var/log/syslog` or `journalctl`	`/var/log/system.log` or `log show`	Event Viewer → System
Kernel Messages	`/var/log/kern.log` or `dmesg`	`log show --predicate 'sender=="kernel"'`	Event Viewer → System (Source: kernel)
Application Errors	`/var/log/syslog`	`/Library/Logs/`	Event Viewer → Application
Package Install History	`/var/log/dpkg.log`	`/var/log/install.log`	Event Viewer → Setup

🔐 Authentication & Login Event Logs

Authentication logs are the most critical for security monitoring. They record every login attempt — successful or failed — along with the username, source IP, and timestamp. Patterns of repeated failures indicate brute-force attacks.

🐉 Kali Linux

🍎 macOS

🪟 Windows

STEP 01Read the Auth Log/var/log/auth.log

The /var/log/auth.log file records every authentication event. Learn to filter it efficiently using grep.

KALI TERMINAL

# View last 50 lines of the auth log └─$ sudo tail -50 /var/log/auth.log # Show all FAILED login attempts └─$ sudo grep "Failed password" /var/log/auth.log # Show all SUCCESSFUL logins └─$ sudo grep "Accepted password\|Accepted publickey" /var/log/auth.log # Detect brute-force: count failures per IP address └─$ sudo grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn | head # View sudo command usage (who ran what as root) └─$ sudo grep "sudo.*COMMAND" /var/log/auth.log

▸ Sample Auth Log Entry (failed login)

Mar 19 14:32:11 kali sshd[1423]: Failed password for root from 192.168.1.105 port 52213 ssh2
Mar 19 14:32:14 kali sshd[1423]: Failed password for root from 192.168.1.105 port 52218 ssh2
Mar 19 14:32:17 kali sshd[1423]: Failed password for root from 192.168.1.105 port 52225 ssh2

🚨 Brute-Force Detected: The same IP failing repeatedly within seconds is an automated brute-force attack. Block it with: sudo ufw deny from 192.168.1.105

STEP 02Login History Commandslast · lastb · who

These commands read binary login databases (/var/log/wtmp and /var/log/btmp) and display them in human-readable form.

KALI TERMINAL

# Show last 20 successful logins └─$ last -20 # Show failed login attempts (reads /var/log/btmp) └─$ sudo lastb -20 # Show who is currently logged in └─$ who # Show last login time per user └─$ lastlog | grep -v "Never logged in"

▸ Sample Output: last -20

kali   pts/0  192.168.1.100   Tue Mar 19 14:22   still logged in
root   tty1                   Tue Mar 19 09:01 - 09:45  (00:43)
kali   pts/1  192.168.1.55    Mon Mar 18 22:10 - 22:30  (00:20)

◈ Lab Task — Auth Logs (Kali)

Run the brute-force detection command and check if any IP has more than 3 failures.
Run last -20 and sudo lastb -20 — compare the two outputs.
Explain in your report: what is the difference between wtmp and btmp?
Find one SUCCESSFUL login entry and decode its fields: user, source IP, date, time.

STEP 01macOS Unified Log — Auth Eventslog · last

MACOS TERMINAL

# Stream live system events (Ctrl+C to stop) % log stream # Show auth events from last 1 hour % log show --last 1h | grep -i "authentication\|login\|failed\|denied" # SSH-specific events % log show --predicate 'process == "sshd"' --last 24h --info # Login history (same as Linux) % last -20 % sudo lastb # Open Console.app (GUI log viewer) % open -a Console

💡 Console.app provides a GUI for the Unified Log. Use the search bar to filter by "authentication failed" — much easier for beginners than the CLI.

STEP 01Windows Security Event Log — Login EventsGet-WinEvent · Event IDs

Windows uses numbered Event IDs to classify every security event. Memorise these core IDs — they are asked in every security exam and job interview.

EVENT ID	MEANING	SEVERITY
4624	Successful logon	INFO
4625	Failed logon (wrong password)	WATCH
4634	User logged off	INFO
4720	New user account created	WATCH
4732	User added to Administrators group	ALERT
4698	Scheduled task created	WATCH
7045	New service installed	ALERT

POWERSHELL (Admin)

# Get last 20 failed login events (4625) PS> Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 20 | Select-Object TimeCreated, @{N='User';E={$_.Properties[5].Value}}, @{N='IP';E={$_.Properties[19].Value}} # Get successful logins (4624) PS> Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} -MaxEvents 20 | Select-Object TimeCreated, @{N='User';E={$_.Properties[5].Value}}, @{N='LogonType';E={$_.Properties[8].Value}} # Count failed logins per username PS> Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} | ForEach-Object {$_.Properties[5].Value} | Group-Object | Sort-Object Count -Descending # Open Event Viewer GUI PS> eventvwr.msc

▸ Sample Output: Count of Failed Logins

Count  Name
-----  ----
  34   Administrator   ← Brute-force target!
   5   Guest
   2   john.doe

◈ Lab Task — Auth Logs (Windows)

Query Event ID 4625 — list the top 3 usernames with most failed logins.
Query Event ID 4624 — find any login with LogonType = 10 (RDP). Explain what this means.
Open eventvwr.msc, navigate to Security, and apply a filter for Event ID 4732. Document any results.
In your report: what is the difference between LogonType 2 (Interactive) and LogonType 3 (Network)?

⚙️ System & Kernel Event Logs

Beyond authentication, the OS records kernel panics, service crashes, hardware errors, and package changes. These logs help diagnose both technical problems and signs of tampering.

🐉 Kali Linux

🍎 macOS

🪟 Windows

KALI TERMINAL

# View last 100 lines of syslog └─$ sudo tail -100 /var/log/syslog # journalctl — modern structured log viewer └─$ journalctl -r # Newest entries first └─$ journalctl -p err -b # Errors since last boot └─$ journalctl -u ssh -n 30 # SSH service logs └─$ journalctl --since "1 hour ago" # Last hour only └─$ journalctl -f # Live stream (tail) # Kernel messages (hardware, driver issues) └─$ dmesg | tail -30 └─$ dmesg --level=err,warn # Package install/remove history └─$ cat /var/log/dpkg.log | tail -30

MACOS TERMINAL

# Show errors from last hour % log show --last 1h | grep -i "error\|fault\|fail" # Show logs for a specific subsystem % log show --predicate 'subsystem == "com.apple.security"' --last 2h # Kernel messages % log show --predicate 'sender == "kernel"' --last 1h # Software install log % cat /var/log/install.log | tail -30 # Crash reports (application crashes) % ls ~/Library/Logs/DiagnosticReports/

POWERSHELL (Admin)

# Get System errors from last 24 hours PS> Get-EventLog -LogName System -EntryType Error -Newest 20 | Select-Object TimeGenerated, Source, EventID, Message # Get Application errors PS> Get-EventLog -LogName Application -EntryType Error -Newest 20 # Check for new services installed (7045 = malware indicator) PS> Get-WinEvent -FilterHashtable @{LogName='System'; Id=7045} | Select-Object TimeCreated, @{N='Service';E={$_.Properties[0].Value}} # Export Security log to file for offline analysis PS> wevtutil epl Security C:\SecurityLog_backup.evtx # Open Event Viewer PS> eventvwr.msc

🔬 Log Analysis — What to Look For

Raw logs contain thousands of lines. Effective security monitoring means knowing exactly what patterns indicate a threat. The table below summarises the most important indicators across all platforms.

INDICATOR	WHAT IT MEANS	WHERE TO FIND IT	SEVERITY
5+ "Failed password" from same IP	SSH brute-force attack in progress	/var/log/auth.log	HIGH
Login at 3 AM from unknown IP	Possible unauthorised access	auth.log / Event 4624	HIGH
New user account created unexpectedly	Attacker creating persistence	Event ID 4720 / /etc/passwd	HIGH
New service installed (Event 7045)	Malware often runs as a service	Windows System Event Log	HIGH
Sudo commands by unknown user	Privilege escalation attempt	grep "sudo" /var/log/auth.log	MEDIUM
Kernel errors at boot	Hardware issue or rootkit activity	dmesg / journalctl -p err	MEDIUM
Large number of application crashes	Exploit attempts or buggy software	Application Event Log	MEDIUM

Wrap Up

Report & Viva Questions

Answer all questions in your lab report. These are also potential viva questions.

What is the difference between local vulnerability scanning and network vulnerability scanning? Give one example tool for each.
Lynis gives a Hardening Index score. What was your score? List three specific actions you can take to improve it.
What does Chkrootkit check for? How is it different from a regular antivirus scanner?
Why is an account with an empty password or UID 0 (other than root) a critical security risk?
On Linux, what is the difference between /var/log/auth.log, /var/log/syslog, and the journalctl command?
You see 47 "Failed password" entries for root from IP 192.168.1.105 in auth.log. What is happening and what is the first command you run to mitigate it?
Explain Windows Event ID 4624 vs 4625. What does LogonType 10 indicate, and why is it important to monitor?
A new service appears in Windows Event ID 7045 that you did not install. What could this mean and what are your next steps?