Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Fundamentals of Linux Platform Security Module 5 Logging Infrastructures Roadmap Motivation Challenges Syslog Centralized Logging Log reduction Swatch, logwatch 3 1
Motivation Administration & debugging Detect & analyze security & performance incidents Auditing Regulatory requirements HIPAA, SOX, PCI, GLBA, 4 Example Jan 02 16:19:45 host.example.com rpc.statd[351]: gethostbyname error for ^X ÿ ^X ÿ ^Y ÿ ^Y ÿ ^Z ÿ ^Z ÿ ^[ ÿ ^[ ÿ bffff750 8 0 4 9 7 1 0 9 0 9 0 9 0 9 0 6 8 7 4 6 5 6 7 6 2 7 4 7 3 6 f 6 d 6 1 6 e 7 9 7 2 6 5 2 0 6 5 2 0 7 2 6 f 7 2 2 0 7 2 6 f 6 6 b f f f f 7 1 8 bffff719 bffff71a b f f f f 7 1 b _!! 5 Challenges Log generation & storage Log CIA Log analysis 6 2
CEE - Coming soon? Common Event Expression Standardizes the way computer events are described, logged, and exchanged Create an event expression taxonomy for uniform and precise log definitions that lead to a common event representation. Create logging syntax utilizing a single data dictionary to provide consistent event specific details. Standardize flexible event transport mechanisms to support multiple environments. Propose log recommendations for the events and attributes devices generate. http://cee.mitre.org/language/1.0-beta1/overview.html (August, 2012) 7 syslog UNIX/Linux logging daemon facility (origin) & priority (importance) log entry accepted by daemon logged according to config file Windows third-party tools Windows event log -> syslog http://www.eventreporter.com/ http://www.winagents.com/ syslog -> Windows http://www.winsyslog.com/en/ 8 syslog LogAnalyzer (née phplogcon) Front end for searching, reviewing and analyzing event data Data sources syslog, rsyslog, WinSyslog log files MySQL databases» Adiscon MonitorWare, php-syslog-ng schemas Any LF-delimited file Multiple instances Data display GUI controls: scroll, search, tooltip, http://loganalyzer.adiscon.com/ 9 3
syslog Splunk Indexes log file data, also config files, arbitrary script output Data sources syslog, rsyslog, WinSyslog log files Config files Arbitrary script outputs Multiple instances Indexes data Free for indexing up to 500 MB/day Data display GUI controls: scroll, search, tooltip, http://www.splunk.com/ 10 rsyslog The reliable & extended Linux logging daemon Upward-compatible with syslogd Provides reliable remote logging TCP ubiquitous, uses reliable connection RELP- queues locally until loghost accessible man rsyslogd man 5 rsyslog.conf /etc/rsyslog.conf 11 rsyslog basic lab Edit log destination sudo vi /etc/rsyslog.conf Add line under RULES section *.debug,mark.debug /var/log/fulllog Tell syslog to re-read config file sudo service rsyslog restart Test the syslog logger Hello, world! 12 4
centralized logging lab Your instructor will provide the identity of a central logging host pst.merit.edu Edit local /etc/rsyslog.conf Add forwarding rule with remote host *.* @pst.merit.edu Tell local syslog to re-read config file sudo service rsyslog restart Test with logger 13 Relay Architecture 14 Log Reduction Make three piles ignore don t want to see these, ever baseline aren t likely to contain time-critical security information investigate - those that do 15 5
Log Reduction A simple first step cut -f5- -d\ /var/log/fulllog sed -e s/[0-9] [0-9]*/###/g sort uniq -c sort -nr Use script in /usr/local/lab/syslog/reduce 16 Baselining I Construct a baseline Measure set of known data to compute range of normal values Examples Network traffic by protocol Logins/logouts Accesses of admin accounts DHCP address management DNS requests Amount of log data/day Number of processes running 17 Baselining II Compare against baseline Anomaly detection detecting things you haven t seen before Thresholding identifying data that exceed a given baseline Windowing detecting events within a given time period 18 6
Log parsing tools swatch logwatch 19 swatch lab Examine man page man swatch Copy sample rule cp /usr/local/lab/swatch/sample.swatchrc ~lab/.swatchrc Examine sample rule Start swatch sudo /usr/local/bin/swatch -c ~lab/.swatchrc Trigger swatch Start a new terminal window logger Hello, World! Experiment with different rules 20 log parsing lab Examine man page man logwatch Examine config and service files System-wide /usr/share/logwatch/default.conf/logwatch.conf /usr/share/logwatch/scripts/services Locally-configured /etc/logwatch/conf/logwatch.conf /etc/logwatch/scripts/services Perform log parse /usr/sbin/logwatch [--service sendmail] [-- range all] [--archives] 21 7
Maintaining log files Log files expand to fill available space Control by rotation switch over to a new log file periodically overwrite oldest log file logrotate needs logging facility s cooperation /sbin/killall -HUP facility copytruncate man logrotate /etc/logrotate.conf /etc/logrotate.d/ 22 log analysis lab Enable httpd sudo service httpd start Install LogAnalyzer (1) cd; cp /usr/local/lab/loganalyzer/ loganalyzer-3.4.5.tar.gz. tar zxf loganalyzer-3.4.5.tar.gz cd loganalyzer-3.4.5 less Install 23 Install LogAnalyzer (2) sudo cp -r src/* /var/www/html sudo touch /var/www/html/config.php log analysis lab sudo chmod 666 /var/www/html/config.php sudo chcon -hr -t httpd_sys_script_rw_t /var/www/html Install LogAnalyzer (3) sudo setfacl -m u:apache:r /var/log/messages cp /usr/local/lab/loganalyzer/lpspol_log.te. checkmodule -M -m -o lpspol_log.mod lpspol_log.te semodule_package -o lpspol_log.pp -m lpspol_log.mod sudo semodule -i lpspol_log.pp 24 8
log analysis lab Install LogAnalyzer (4) Browse to http://localhost/ Click the word here in the Critical Error Notice Accept all defaults except: Step 7 Set Syslog file to /var/log/messages Install LogAnalyzer (5) sudo chmod 644 /var/www/html/config.php sudo restorecon -R /var/www/html Run LogAnalyzer! Browse to http://localhost/ When done with lab: sudo setfacl -b /var/log/messages 25 References Abe Singer and Tina Bird, Building a Logging Infrastructure, USENIX Association, ISBN 1-931971-25-0, 2004. The SANS 2007 Log Management Market Report http://www.sans.org/reading_room/analysts_program/logmgt_june07.pdf (accessed April 2010) Common Event Expression (Anton Chuvakin, cee@mitre.org) http://cee.mitre.org/docs/common_event_expression_white_paper_june_2008.pdf (accessed April 2010) Karen Kant and Murugiah Souppaya, Guide to Computer Security Log Management," NIST Publication 800-92, September 2006. LogAnalyzer Documentation, http://loganalyzer.adiscon.com/doc/manual.html (accessed December 2010). http://loganalyzer.adiscon.com/ http://www.splunk.com/ 26 9