UCantHide is an open source application used to detect anomalies in linux authorization log files. This anomalies could happens if someone has unauthorized access to your system and used some techniques to clean authorisation logs.
Now application is only supports /var/log/auth.log. Later other log files such as /var/log/lastlog will be supported too.
List of detection techniques:
- Find sessions in auth.log which was closed but has never been opened.
This anomaly could happens if an attacker has authenticated by ssh, and has cleaned auth.log. Then an attacker logout, hence the record 'session closed' has appeared in the log file.