Скачать презентацию 91 580 203 Computer Network Forensics Xinwen Скачать презентацию 91 580 203 Computer Network Forensics Xinwen

0866a182fc1a15baeb7df9058b6b09a7.ppt

  • Количество слайдов: 44

91. 580. 203 Computer & Network Forensics Xinwen Fu Linux Logging Mechanisms College of 91. 580. 203 Computer & Network Forensics Xinwen Fu Linux Logging Mechanisms College of [email protected]

Outline p Log files n n n p What need to be logged Logging Outline p Log files n n n p What need to be logged Logging policies Finding log files Syslog: the system event logger 2 [email protected]

Who logs data? The accounting system p The kernel p Various utilities p n Who logs data? The accounting system p The kernel p Various utilities p n n All produce data that need to be logged Most of the data has a limited useful lifetime, and needs to be summarized, compressed, archived and eventually thrown away 3 [email protected]

Logging policies 1. Throw away all data immediately 2. Reset log files at periodic Logging policies 1. Throw away all data immediately 2. Reset log files at periodic intervals 3. Rotate log files, keeping data for a fixed amount of time 4. Compress and archive to tape or other permanent media 4 [email protected]

Which policy to choose p Depends on: n n p how much disk space Which policy to choose p Depends on: n n p how much disk space you have how security-conscious you are Whatever scheme you select, regular maintenance of log files should be automated using cron 5 [email protected]

1. Throwing away log files p Not recommend n n p Security problems (accounting 1. Throwing away log files p Not recommend n n p Security problems (accounting data and log files provide important evidence of break-ins) Helpful for alerting you to hardware and software problems In general, keep one or two months n In a real world, it may take one or two weeks for SA to realize that site has been compromised by a hacker and need to review the logs 6 [email protected]

2. Reset log files at periodic intervals Most sites store each day’s log info 2. Reset log files at periodic intervals Most sites store each day’s log info on disk, sometimes in a compressed format p These daily files are kept for a specific period of time and then deleted p One common way to implement this policy is called “rotation” p 7 [email protected]

3. Rotating log files p Keep backup files that are one day old, two 3. Rotating log files p Keep backup files that are one day old, two days old, and so on. n n logfile, logfile. 1 , logfile. 2, … logfile. 6 Linux: /etc/logrotate. conf p p Specify the frequency with which the files are reused Each day rename the files to push older data toward the end of the chain 8 [email protected]

Script to archive 4 days files #! /bin/sh cd /var/log mv logfile. 2 logfile. Script to archive 4 days files #! /bin/sh cd /var/log mv logfile. 2 logfile. 3 mv logfile. 1 logfile. 2 mv logfile. 1 cat /dev/null > logfile p p Some daemons keep their log files open all the time, this script can’t be used with them. To install a new log file, you must either signal the daemon, or kill and restart it. In Unix-like operating systems, /dev/null or the null device is a special file that discards all data written to it, and provides no data to any process that reads from it. In Unix programmer jargon, it may also be called the bit bucket or black hole. 9 [email protected]

4. Archiving log files Some sites must archive all accounting data and log files 4. Archiving log files Some sites must archive all accounting data and log files as a matter of policy, to provide data for a potential audit p Log files should be first rotated on disk, then written to tape or other permanent media p 10 [email protected]

Finding log files p To locate log files, read the system startup scripts : Finding log files p To locate log files, read the system startup scripts : /etc/rc* or /etc/init. d/* n n p If logging is turned on when daemons are run Where messages are sent Some programs handle logging via syslog (syslogd or rsyslogd) n Check /etc/syslog. conf (or rsyslog. conf on Fedora Core 9) to find out where this data goes 11 [email protected]

Finding log files (default configuration) p Different operating systems put log files in different Finding log files (default configuration) p Different operating systems put log files in different places: n n p /var/log/* /var/cron/log /usr/adm /var/adm … On Linux, all the log files are in /var/log directory 12 [email protected]

Outline Log files p Syslog: the system event logger p n n how syslog Outline Log files p Syslog: the system event logger p n n how syslog works its configuration file debugging syslog the software that uses syslog 13 [email protected]

What is syslog A comprehensive logging system, used to manage information generated by the What is syslog A comprehensive logging system, used to manage information generated by the kernel and system utilities p Allow messages to be sorted by their sources and importance, and routed to a variety of destinations: p n Log files, users’ terminals, or even other machines 14 [email protected]

Syslog: three parts 1. Syslogd: daemon that does the actual logging n Configuration file: Syslog: three parts 1. Syslogd: daemon that does the actual logging n Configuration file: /etc/syslog. conf 2. API: openlog, syslog, closelog n Library routines that programs use to send data to syslogd 3. logger n User-level command for submitting log entries 15 [email protected]

syslog-aware programs Using syslog library routines write log entries to a special file /dev/log syslog-aware programs Using syslog library routines write log entries to a special file /dev/log /dev/klog reads syslogd consults dispatches Log files Users’s terminals Other machines /etc/syslog. conf Most system logging daemons listen on one or more Unix sockets, the most typical being /dev/log; /dev/klog is kernel log socket 16 [email protected] http: //www. calpoly. edu/cgi-bin/man-cgi? syslogd

Configuring syslogd The configuration file /etc/syslog. conf controls syslogd’s behavior p It is a Configuring syslogd The configuration file /etc/syslog. conf controls syslogd’s behavior p It is a text file with simple format, blank lines and lines beginning with ‘#’ are ignored (comment). p n n selector action for example mail. info /var/log/maillog 17 [email protected]

Configuration file - selector p Identifies n n n p Program ‘facility’ that is Configuration file - selector p Identifies n n n p Program ‘facility’ that is sending a log message Messages’s severity level eg. mail. info Syntax n n facility. level Facility names and severity levels must be chosen from a list of defined values 18 [email protected]

Configuration file - Facility Names FACILITY kern user mail daemon auth lpr news PROGRAMS Configuration file - Facility Names FACILITY kern user mail daemon auth lpr news PROGRAMS THAT USE IT the kernel User process, default if not specified The mail system System daemons Security and authorization related commands the BSD line printer spooling system The Usenet news system 19 [email protected]

Configuration file - Facility names (Cont. ) FACILITY uucp cron mark local 0 -7 Configuration file - Facility names (Cont. ) FACILITY uucp cron mark local 0 -7 syslog authpriv ftp * PROGRAMS THAT USE IT Reserved for UUCP the cron daemon Timestamps generated at regular intervals Eight flavors of local message syslog internal messages Private or system authorization messages the ftp daemon, ftpd All facilities except “mark” UUCP stands for Unix to Unix Co. Py. 20 [email protected]

Configuration file - Facility names (Cont. ) p p p Facility - Mark: Timestamps Configuration file - Facility names (Cont. ) p p p Facility - Mark: Timestamps can be used to log time at regular intervals (by default, every 20 minutes), so you can figure out that your machine crashed between 3: 00 and 3: 20 am, not just “sometime last night”. This can be a big help if debugging problems occur on a regular basis Start at command line: syslogd –m 1 Use syslog. conf n n Start syslog daemon: syslogd Add the line to syslog. conf: mark. * /var/log/messages 21 [email protected]

Configuration file - severity level severe not severe LEVEL emerg (panic) alert crit err Configuration file - severity level severe not severe LEVEL emerg (panic) alert crit err warning notice info debug APPROXIMATE MEANING Panic situation Urgent situation Critical condition Other error conditions Warning messages Unusual things that may need investigation Informational messages For debugging 22 [email protected]

Configuration file - selector p p Levels indicate the minimum importance that a message Configuration file - selector p p Levels indicate the minimum importance that a message must have in order to be logged n mail. warning - would match all the messages from the mail system, at the minimum level of warning Level of ‘none’ will exclude the listed facilities regardless of what other selectors on the same line may say. n *. info; mail. none action All the facilities, except mail, at the minimum level info will subject to action 23 [email protected]

Configuration file – selector (Cont. ) p p Can include multiple facilities separated with Configuration file – selector (Cont. ) p p Can include multiple facilities separated with ‘, ’ commas n e. g. , daemon, auth, mail. info action Multiple selectors can be combined with ‘; ’ n e. g. daemon. level 1; mail. level 2 action n p Selectors are ‘|’ -- ORed together, a message matching any selector will be subject to the action Can contain n n * - meaning all none - meaning nothing 24 [email protected]

Configuration file - action (Tells what to do with a message) ACTION MEANING filename Configuration file - action (Tells what to do with a message) ACTION MEANING filename Write message to a file on the local machine Forward messages to the syslogd on hostname Forward messages to the host at IP address @hostname @ipaddress user 1, user 2, … * Write messages to users’ screens if they are logged in Write messages to all users logged in 25 [email protected]

Configuration file - action (Cont. ) p p p If a filename action used, Configuration file - action (Cont. ) p p p If a filename action used, the filename must be absolute path. The file must exist since syslogd will not create it n e. g. /var/log/messages If a hostname is used, it must be resolved via a translation mechanism such as DNS or NIS While multiple facilities and levels are allowed in a selector, multiple actions are not allowed. 26 [email protected]

Config file examples (1) # Small network or stand-alone syslog. conf file # emergencies: Config file examples (1) # Small network or stand-alone syslog. conf file # emergencies: tell everyone who is logged on *. emerg * # important messages *. warning; daemon, auth. info # printer errors lpr. debug /var/adm/messages /var/adm/lpd-errs 27 [email protected]

Config file examples (2) # network client, typically forwards serious messages to # a Config file examples (2) # network client, typically forwards serious messages to # a central logging machine # emergencies: tell everyone who is logged on *. emerg; user. none * #important messages, forward to central logger *. warning; lpr, local 1. none @netloghost daemon, auth. info @netloghost # local stuff to central logger too local 0, local 2, local 7. debug @netloghost # card syslogs to local 1 - to boulder local 1. debug @ialab. cs. uml. edu # printer errors, keep them local lpr. debug /var/adm/lpd-errs # sudo logs to local 2 - keep a copy here [email protected] local 2. info /var/adm/sudolog 28

Sample syslog output 1. Mar 27 09: 10: 02 tcb-ia-lab-inst sshd[4100]: Accepted password for Sample syslog output 1. Mar 27 09: 10: 02 tcb-ia-lab-inst sshd[4100]: Accepted password for cis 418 from : : ffff: 216. 254. 235. 105 port 61940 ssh 2 2. Mar 27 18: 10: 00 tcb-ia-lab-inst sshd[9332]: Failed password for root from : : ffff: 216. 254. 235. 105 port 62817 ssh 2 3. Mar 27 18: 10: 08 tcb-ia-lab-inst sshd[9332]: Accepted password for root from : : ffff: 216. 254. 235. 105 port 62817 ssh 2 4. Mar 27 20: 08: 27 tcb-ia-lab-inst sshd[10629]: Accepted password for root from : : ffff: 10. 0. 0. 111 port 42172 ssh 2 5. Mar 27 20: 09: 48 tcb-ia-lab-inst sshd[10649]: Failed password for root from : : ffff: 10. 0. 0. 111 port 48233 ssh 2 29 [email protected]

Syslogd A hangup signal (HUP, signal 1) cause syslogd to close its log files, Syslogd A hangup signal (HUP, signal 1) cause syslogd to close its log files, reread its configuration file, and start logging again p If you modify the syslog. conf file, you must HUP syslogd to make your changes take effect p n n ps -ef | grep syslogd Kill -1 pid-of-syslogd 30 [email protected]

Software that uses syslog PROGRAM amd date ftpd gated gopher halt/reboot login/rlogind lpd FACILITY Software that uses syslog PROGRAM amd date ftpd gated gopher halt/reboot login/rlogind lpd FACILITY auth daemon auth lpr LEVELS err-info notice err-debug alert-info err crit-info err-info DESCRIPTION NFS automounter Display and set date ftp daemon Routing daemon Internet info server Shutdown programs Login programs BSD line printer daemon 31 [email protected]

Software that uses syslog PROGRAM FACILITY named daemon passwd auth LEVELS err-info err sendmail Software that uses syslog PROGRAM FACILITY named daemon passwd auth LEVELS err-info err sendmail rwho su sudo syslogd debug-alert err-notice crit, notice, alert err-info mail daemon auth local 2 syslog, mark DESCRIPTION Name sever (DNS) Password setting programs Mail transport system romote who daemon substitute UID prog. Limited su program internet errors, timestamps 32 [email protected]

Syslog 's functions Liberate programmers from the tedious mechanics of writing log files p Syslog 's functions Liberate programmers from the tedious mechanics of writing log files p Put SA in control of logging p n p Before syslog, SA had no control over what information was kept or where it was stored Can centralize the logging for a network system 33 [email protected]

Debugging syslog -- logger p Useful for submitting log entries from shell scripts p Debugging syslog -- logger p Useful for submitting log entries from shell scripts p Can also use it to test changes in syslogd’s configuration file. n For example. . 34 [email protected]

Add line to syslog. conf: local 5. info /var/log/test. log verify it is working, Add line to syslog. conf: local 5. info /var/log/test. log verify it is working, run logger -p local 5. info “test messages” a line containing “test messages” should be written to /tmp/test. log If this doesn’t happen: forgot to create the test. log file or forgot to send syslogd a hangup signal 35 [email protected]

Remote logging p On a central logging server: 10. 0. 0. 192 n p Remote logging p On a central logging server: 10. 0. 0. 192 n p syslogd -r On a local server: 10. 0. 0. 45 n n authpriv. *; auth. * @10. 0. 0. 192 Question: where are those events written? 36 [email protected]

Process Accounting p p accton is used to turn on or turn off process Process Accounting p p accton is used to turn on or turn off process accounting lastcomm tracks commands each user uses n n n p ac prints out statistics about users' connection times in hours based on the logins and logouts in the current /var/log/wtmp file n p touch /var/log/pacct /sbin/accton /var/log/pacct lastcomm -f /var/log/pacct ac -p -d sa summarizes accounting information from previously executed commands, software I/O operation times, and CPU times, as recorded in the accounting record file /var/log/pacct n sa /var/log/pacct 37 [email protected]

Process Accounting (Cont. ) p last goes through the /var/log/wtmp file and prints out Process Accounting (Cont. ) p last goes through the /var/log/wtmp file and prints out information about users' connection times p lastb is the same as last, except that by default it shows a log of the file /var/log/btmp, which contains all the bad login attempts. 38 [email protected]

Using syslog in programs p openlog( ident, logopt, facility); n p syslog( priority, messge, Using syslog in programs p openlog( ident, logopt, facility); n p syslog( priority, messge, parameters…); n p Messages logged with the options specified by logopt begin with the identification string ident. Send message to syslogd, which logs it at the sepecified priority level close( ); 39 [email protected]

/ * c program: syslog using openlog and closelog */ #include <syslog. h> main / * c program: syslog using openlog and closelog */ #include main ( ) { openlog ( “SA-BOOK”, LOG_PID, LOG_USER); syslog ( LOG_WARNING, “Testing …. “); closelog ( ); } On the host, this code produce the following log entry: Apr 4 15: 21: 57 tcb-ia-lab-inst SA-BOOK[7762]: Testing. . . 40 [email protected]

Summary p On linux, check following files: n n p /etc/syslog. conf : syslog Summary p On linux, check following files: n n p /etc/syslog. conf : syslog configuration file /etc/logrotate. conf : logging policy, rotate /etc/logrotate. d/* /var/log/* : log files try following commands to find out more. . . n n man logrotate man syslogd 41 [email protected]

References 1. 2. 3. 4. Chris Prosise, Kevin Mandia, Matt Pepe, Incident Response and References 1. 2. 3. 4. Chris Prosise, Kevin Mandia, Matt Pepe, Incident Response and Computer Forensics, Second Edition (Paperback), ISBN: 007222696 X Brian Hatch, Preventing Syslog Denial of Service attacks, http: //www. hackinglinuxexposed. com/articles/20030220. html Albert M. C. Tam, Enabling Process Accounting on Linux HOWTO, 02/09/2001, http: //www. faqs. org/docs/Linux-mini/Process. Accounting. html Keith Gilbertson, Process Accounting, 12/01/2002, http: //www. linuxjournal. com/article/6144 42 [email protected]

Notes p Change host name n n /etc/hosts # add the host to the Notes p Change host name n n /etc/hosts # add the host to the end of 127. 0. 0. 1 /etc/sysconfig/network 43 [email protected]

#! /bin/sh cd /var/log mv logfile. 2. Z logfile. 3. Z mv logfile. 1. #! /bin/sh cd /var/log mv logfile. 2. Z logfile. 3. Z mv logfile. 1. Z logfile. 2. Z mv logfile. 1 cat /dev/null > logfile kill -signal pid compress logfile. 1 signal - appropriate signal for the program writing the log file pid - process id 44 [email protected]