Fundamentals of Linux Platform Security. Fundamentals of Linux Platform Security. Roadmap. Security Training Course. Module 5 Logging Infrastructures



Similar documents
Syslog & xinetd. Stephen Pilon

syslog - centralized logging

CSE/ISE 311: Systems Administra5on Logging

Reliable log data transfer

How To Analyze Logs On Aloha On A Pcode On A Linux Server On A Microsoft Powerbook (For Acedo) On A Macbook Or Ipad (For An Ubuntu) On An Ubode (For Macrocess

CSE 265: System and Network Administration

Unless otherwise noted, all references to STRM refer to STRM, STRM Log Manager, and STRM Network Anomaly Detection.

Linux System Administration. System Administration Tasks

Network Monitoring & Management Log Management

Topics. CIT 470: Advanced Network and System Administration. Logging Policies. System Logs. Throwing Away. How to choose a logging policy?

Log Management: Monitoring and Making Sense of Logs

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

disect Systems Logging Snort alerts to Syslog and Splunk PRAVEEN DARSHANAM

System Administration

IMPORTANCE OF CENTRALIZED LOG SERVER AND LOG ANALYZER SOFTWARE FOR AN ORGANIZATION

ipta iptables Log Analyzer Anders Sikvall ichimusai.org

Incremental Backup Script. Jason Healy, Director of Networks and Systems

Analyze Traffic with Monitoring Interfaces and Packet Forwarding

Red Condor Syslog Server Configurations

Network Monitoring & Management Log Management

Alert Logic Log Manager

Birmingham Environment for Academic Research. Introduction to Linux Quick Reference Guide. Research Computing Team V1.0

Configuring System Message Logging

Network Monitoring & Management Log Management

Runtime Monitoring & Issue Tracking

An Introduction to Event Modeling and Correlation. Stephen Rondeau Institute of Technology

CN=Monitor Installation and Configuration v2.0

Syslog Monitoring Feature Pack

Tools. (Security) Tools. Network Security I-7262a

Working with ESX(i) Log Files

Linux logging and logfiles monitoring with swatch

HIPAA Compliance Use Case

MCNC Webinar Series. Syslog

logstash The Book Log management made easy James Turnbull

In my first ;login: article [1], I provided an overview of how to build an

Log Analysis with the ELK Stack (Elasticsearch, Logstash and Kibana) Gary Smith, Pacific Northwest National Laboratory

Helping You Piece IT Together. Best Practices for Log Monitoring

Cisco Setting Up PIX Syslog

Linux Security on HP Servers: Security Enhanced Linux. Abstract. Intended Audience. Technical introduction

Installing Booked scheduler on CentOS 6.5

Logitoring : log driven monitroing. the Rocket science. and. Eugene Istomin. IT Architect. e.istomin@edss.ee. Cone Center,Tallinn

OpenCanary Documentation

Network Probe User Guide

EMC VNX Version 8.1 Configuring and Using the Audit Tool on VNX for File P/N Rev 01 August, 2013

Privileged Account Access Management: Why Sudo Is No Longer Enough

An Introduction to Syslog. Rainer Gerhards Adiscon

NETWRIX EVENT LOG MANAGER

Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage. CERT Insider Threat Center

TEST AUTOMATION FRAMEWORK

Troubleshooting. System History Log. System History Log Overview CHAPTER

NETWRIX EVENT LOG MANAGER

Reporting Guide for Novell Sentinel

Configuring LocalDirector Syslog

Syslog Server. Eddie Aronovich. Tel-Aviv University. egee INFSO-RI

How To Set Up Rsyslog On Ubuntu And Debian (For Ubuntu)

LINUX SECURITY COOKBOOK. DanieIJ. Barren, Richard E Silverman, and Robert G. Byrnes

Scheduled Tasks and Log Management

logstash The Book Log management made easy James Turnbull

SSL Tunnels. Introduction

NETWRIX EVENT LOG MANAGER

User Guide. SysMan Utilities. By Sysgem AG

McAfee Network Threat Response (NTR) 4.0

How To Configure Syslog over VPN

Intrusion Detection Systems. Darren R. Davis Student Computing Labs

The Ins and Outs of System Logging Using Syslog

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.

Syslog Configuration for Auditing

Information Systems Application Administration Manual Request Tracker

Logging with syslog-ng, Part One

Nixu SNS Security White Paper May 2007 Version 1.2

Load-Balancing Introduction (with examples...)

Installing Virtual Coordinator (VC) in Linux Systems that use RPM (Red Hat, Fedora, CentOS) Document # 15807A1-103 Date: Aug 06, 2012

Enterprise SysLog Manager (ESM)

Kiwi SyslogGen. A Freeware Syslog message generator for Windows. by SolarWinds, Inc.

Distributed syslog architectures with syslog-ng Premium Edition

Syslog Collection Cartridge Pack User Guide Release 6.0

Logging and Log Analysis - The Essential. kamal hilmi othman NISER

SSL VPN. Virtual Appliance Installation Guide. Virtual Private Networks

Security Correlation Server Quick Installation Guide

EventSentry Overview. Part I About This Guide 1. Part II Overview 2. Part III Installation & Deployment 4. Part IV Monitoring Architecture 13

Log Management with Open-Source Tools. Risto Vaarandi SEB Estonia

FILECLOUD HIGH AVAILABILITY

Oracle Database Firewall

Secret Server Splunk Integration Guide

Configuring System Message Logging

Configuring Logging. Information About Logging CHAPTER

Native SSL support was implemented in HAProxy 1.5.x, which was released as a stable version in June 2014.

Determine the process of extracting monitoring information in Sun ONE Application Server

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

URL:

Web Server using Apache. Heng Sovannarith

Linux System Administration on Red Hat

LAMP Quickstart for Red Hat Enterprise Linux 4

Deploy the ExtraHop Discover Appliance with Hyper-V

Security Correlation Server Quick Installation Guide

CA VM:Operator r3. Product Overview. Business Value. Delivery Approach

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

BF2CC Daemon Linux Installation Guide

Simplified Forwarder Deployment and Deployment Server Techniques

Transcription:

Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Fundamentals of Linux Platform Security Module 5 Logging Infrastructures Roadmap Motivation Challenges Syslog Centralized Logging Log reduction Swatch, logwatch 3 1

Motivation Administration & debugging Detect & analyze security & performance incidents Auditing Regulatory requirements HIPAA, SOX, PCI, GLBA, 4 Example Jan 02 16:19:45 host.example.com rpc.statd[351]: gethostbyname error for ^X ÿ ^X ÿ ^Y ÿ ^Y ÿ ^Z ÿ ^Z ÿ ^[ ÿ ^[ ÿ bffff750 8 0 4 9 7 1 0 9 0 9 0 9 0 9 0 6 8 7 4 6 5 6 7 6 2 7 4 7 3 6 f 6 d 6 1 6 e 7 9 7 2 6 5 2 0 6 5 2 0 7 2 6 f 7 2 2 0 7 2 6 f 6 6 b f f f f 7 1 8 bffff719 bffff71a b f f f f 7 1 b _!! 5 Challenges Log generation & storage Log CIA Log analysis 6 2

CEE - Coming soon? Common Event Expression Standardizes the way computer events are described, logged, and exchanged Create an event expression taxonomy for uniform and precise log definitions that lead to a common event representation. Create logging syntax utilizing a single data dictionary to provide consistent event specific details. Standardize flexible event transport mechanisms to support multiple environments. Propose log recommendations for the events and attributes devices generate. http://cee.mitre.org/language/1.0-beta1/overview.html (August, 2012) 7 syslog UNIX/Linux logging daemon facility (origin) & priority (importance) log entry accepted by daemon logged according to config file Windows third-party tools Windows event log -> syslog http://www.eventreporter.com/ http://www.winagents.com/ syslog -> Windows http://www.winsyslog.com/en/ 8 syslog LogAnalyzer (née phplogcon) Front end for searching, reviewing and analyzing event data Data sources syslog, rsyslog, WinSyslog log files MySQL databases» Adiscon MonitorWare, php-syslog-ng schemas Any LF-delimited file Multiple instances Data display GUI controls: scroll, search, tooltip, http://loganalyzer.adiscon.com/ 9 3

syslog Splunk Indexes log file data, also config files, arbitrary script output Data sources syslog, rsyslog, WinSyslog log files Config files Arbitrary script outputs Multiple instances Indexes data Free for indexing up to 500 MB/day Data display GUI controls: scroll, search, tooltip, http://www.splunk.com/ 10 rsyslog The reliable & extended Linux logging daemon Upward-compatible with syslogd Provides reliable remote logging TCP ubiquitous, uses reliable connection RELP- queues locally until loghost accessible man rsyslogd man 5 rsyslog.conf /etc/rsyslog.conf 11 rsyslog basic lab Edit log destination sudo vi /etc/rsyslog.conf Add line under RULES section *.debug,mark.debug /var/log/fulllog Tell syslog to re-read config file sudo service rsyslog restart Test the syslog logger Hello, world! 12 4

centralized logging lab Your instructor will provide the identity of a central logging host pst.merit.edu Edit local /etc/rsyslog.conf Add forwarding rule with remote host *.* @pst.merit.edu Tell local syslog to re-read config file sudo service rsyslog restart Test with logger 13 Relay Architecture 14 Log Reduction Make three piles ignore don t want to see these, ever baseline aren t likely to contain time-critical security information investigate - those that do 15 5

Log Reduction A simple first step cut -f5- -d\ /var/log/fulllog sed -e s/[0-9] [0-9]*/###/g sort uniq -c sort -nr Use script in /usr/local/lab/syslog/reduce 16 Baselining I Construct a baseline Measure set of known data to compute range of normal values Examples Network traffic by protocol Logins/logouts Accesses of admin accounts DHCP address management DNS requests Amount of log data/day Number of processes running 17 Baselining II Compare against baseline Anomaly detection detecting things you haven t seen before Thresholding identifying data that exceed a given baseline Windowing detecting events within a given time period 18 6

Log parsing tools swatch logwatch 19 swatch lab Examine man page man swatch Copy sample rule cp /usr/local/lab/swatch/sample.swatchrc ~lab/.swatchrc Examine sample rule Start swatch sudo /usr/local/bin/swatch -c ~lab/.swatchrc Trigger swatch Start a new terminal window logger Hello, World! Experiment with different rules 20 log parsing lab Examine man page man logwatch Examine config and service files System-wide /usr/share/logwatch/default.conf/logwatch.conf /usr/share/logwatch/scripts/services Locally-configured /etc/logwatch/conf/logwatch.conf /etc/logwatch/scripts/services Perform log parse /usr/sbin/logwatch [--service sendmail] [-- range all] [--archives] 21 7

Maintaining log files Log files expand to fill available space Control by rotation switch over to a new log file periodically overwrite oldest log file logrotate needs logging facility s cooperation /sbin/killall -HUP facility copytruncate man logrotate /etc/logrotate.conf /etc/logrotate.d/ 22 log analysis lab Enable httpd sudo service httpd start Install LogAnalyzer (1) cd; cp /usr/local/lab/loganalyzer/ loganalyzer-3.4.5.tar.gz. tar zxf loganalyzer-3.4.5.tar.gz cd loganalyzer-3.4.5 less Install 23 Install LogAnalyzer (2) sudo cp -r src/* /var/www/html sudo touch /var/www/html/config.php log analysis lab sudo chmod 666 /var/www/html/config.php sudo chcon -hr -t httpd_sys_script_rw_t /var/www/html Install LogAnalyzer (3) sudo setfacl -m u:apache:r /var/log/messages cp /usr/local/lab/loganalyzer/lpspol_log.te. checkmodule -M -m -o lpspol_log.mod lpspol_log.te semodule_package -o lpspol_log.pp -m lpspol_log.mod sudo semodule -i lpspol_log.pp 24 8

log analysis lab Install LogAnalyzer (4) Browse to http://localhost/ Click the word here in the Critical Error Notice Accept all defaults except: Step 7 Set Syslog file to /var/log/messages Install LogAnalyzer (5) sudo chmod 644 /var/www/html/config.php sudo restorecon -R /var/www/html Run LogAnalyzer! Browse to http://localhost/ When done with lab: sudo setfacl -b /var/log/messages 25 References Abe Singer and Tina Bird, Building a Logging Infrastructure, USENIX Association, ISBN 1-931971-25-0, 2004. The SANS 2007 Log Management Market Report http://www.sans.org/reading_room/analysts_program/logmgt_june07.pdf (accessed April 2010) Common Event Expression (Anton Chuvakin, cee@mitre.org) http://cee.mitre.org/docs/common_event_expression_white_paper_june_2008.pdf (accessed April 2010) Karen Kant and Murugiah Souppaya, Guide to Computer Security Log Management," NIST Publication 800-92, September 2006. LogAnalyzer Documentation, http://loganalyzer.adiscon.com/doc/manual.html (accessed December 2010). http://loganalyzer.adiscon.com/ http://www.splunk.com/ 26 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information