Fundamentals of Linux Platform Security

Transcription

1 Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012

2 Fundamentals of Linux Platform Security Module 5 Logging Infrastructures

3 Roadmap Motivation Challenges Syslog Centralized Logging Log reduction Swatch, logwatch 3

4 Motivation Administration & debugging Detect & analyze security & performance incidents Auditing Regulatory requirements HIPAA, SOX, PCI, GLBA, 4

5 Example Jan 02 16:19:45 host.example.com rpc.statd[351]: gethostbyname error for ^X ÿ ^X ÿ ^Y ÿ ^Y ÿ ^Z ÿ ^Z ÿ ^[ ÿ ^[ ÿ bffff f 6 d e f f 6 6 b f f f f bffff719 bffff71a b f f f f 7 1 b _!! 5

6 Challenges Log generation & storage Log CIA Log analysis 6

7 CEE - Coming soon? Common Event Expression Standardizes the way computer events are described, logged, and exchanged Create an event expression taxonomy for uniform and precise log definitions that lead to a common event representation. Create logging syntax utilizing a single data dictionary to provide consistent event specific details. Standardize flexible event transport mechanisms to support multiple environments. Propose log recommendations for the events and attributes devices generate. (August, 2012) 7

8 syslog UNIX/Linux logging daemon facility (origin) & priority (importance) log entry accepted by daemon logged according to config file Windows third-party tools Windows event log -> syslog syslog -> Windows 8

9 syslog LogAnalyzer (née phplogcon) Front end for searching, reviewing and analyzing event data Data sources syslog, rsyslog, WinSyslog log files MySQL databases» Adiscon MonitorWare, php-syslog-ng schemas Any LF-delimited file Multiple instances Data display GUI controls: scroll, search, tooltip, 9

10 syslog Splunk Indexes log file data, also config files, arbitrary script output Data sources syslog, rsyslog, WinSyslog log files Config files Arbitrary script outputs Multiple instances Indexes data Free for indexing up to 500 MB/day Data display GUI controls: scroll, search, tooltip, 10

11 rsyslog The reliable & extended Linux logging daemon Upward-compatible with syslogd Provides reliable remote logging TCP ubiquitous, uses reliable connection RELP- queues locally until loghost accessible man rsyslogd man 5 rsyslog.conf /etc/rsyslog.conf 11

12 Edit log destination sudo vi /etc/rsyslog.conf Add line under RULES section *.debug,mark.debug rsyslog basic lab /var/log/fulllog Tell syslog to re-read config file sudo service rsyslog restart Test the syslog logger Hello, world! 12

13 centralized logging lab Your instructor will provide the identity of a central logging host pst.merit.edu Edit local /etc/rsyslog.conf Add forwarding rule with remote host Tell local syslog to re-read config file sudo service rsyslog restart Test with logger 13

14 Relay Architecture 14

15 Log Reduction Make three piles ignore don t want to see these, ever baseline aren t likely to contain time-critical security information investigate - those that do 15

16 Log Reduction A simple first step cut -f5- -d\ /var/log/fulllog sed -e s/[0-9] [0-9]*/###/g sort uniq -c sort -nr Use script in /usr/local/lab/syslog/reduce 16

17 Baselining I Construct a baseline Measure set of known data to compute range of normal values Examples Network traffic by protocol Logins/logouts Accesses of admin accounts DHCP address management DNS requests Amount of log data/day Number of processes running 17

18 Baselining II Compare against baseline Anomaly detection detecting things you haven t seen before Thresholding identifying data that exceed a given baseline Windowing detecting events within a given time period 18

19 Log parsing tools swatch logwatch 19

20 swatch lab Examine man page man swatch Copy sample rule cp /usr/local/lab/swatch/sample.swatchrc ~lab/.swatchrc Examine sample rule Start swatch sudo /usr/local/bin/swatch -c ~lab/.swatchrc Trigger swatch Start a new terminal window logger Hello, World! Experiment with different rules 20

21 log parsing lab Examine man page man logwatch Examine config and service files System-wide /usr/share/logwatch/default.conf/logwatch.conf /usr/share/logwatch/scripts/services Locally-configured /etc/logwatch/conf/logwatch.conf /etc/logwatch/scripts/services Perform log parse /usr/sbin/logwatch [--service sendmail] [-- range all] [--archives] 21

22 Maintaining log files Log files expand to fill available space Control by rotation switch over to a new log file periodically overwrite oldest log file logrotate needs logging facility s cooperation /sbin/killall -HUP facility copytruncate man logrotate /etc/logrotate.conf /etc/logrotate.d/ 22

23 log analysis lab Enable httpd sudo service httpd start Install LogAnalyzer (1) cd; cp /usr/local/lab/loganalyzer/ loganalyzer tar.gz. tar zxf loganalyzer tar.gz cd loganalyzer less Install 23

24 log analysis lab Install LogAnalyzer (2) sudo cp -r src/* /var/www/html sudo touch /var/www/html/config.php sudo chmod 666 /var/www/html/config.php sudo chcon -hr -t httpd_sys_script_rw_t /var/www/html Install LogAnalyzer (3) sudo setfacl -m u:apache:r /var/log/messages cp /usr/local/lab/loganalyzer/lpspol_log.te. checkmodule -M -m -o lpspol_log.mod lpspol_log.te semodule_package -o lpspol_log.pp -m lpspol_log.mod sudo semodule -i lpspol_log.pp 24

25 log analysis lab Install LogAnalyzer (4) Browse to Click the word here in the Critical Error Notice Accept all defaults except: Step 7 Set Syslog file to /var/log/messages Install LogAnalyzer (5) sudo chmod 644 /var/www/html/config.php sudo restorecon -R /var/www/html Run LogAnalyzer! Browse to When done with lab: sudo setfacl -b /var/log/messages 25

26 References Abe Singer and Tina Bird, Building a Logging Infrastructure, USENIX Association, ISBN , The SANS 2007 Log Management Market Report (accessed April 2010) Common Event Expression (Anton Chuvakin, cee@mitre.org) (accessed April 2010) Karen Kant and Murugiah Souppaya, Guide to Computer Security Log Management," NIST Publication , September LogAnalyzer Documentation, (accessed December 2010)