The detailed content and format of the http log files is discussed in Apache s web pages starting at:

Size: px

Start display at page:

Download "The detailed content and format of the http log files is discussed in Apache s web pages starting at:"

Austen Marsh
5 years ago
Views:

1 02345: Data Security Lab 5: Auditing Bo Holst-Christensen Autumn 2007 This lab gives you the opportunity to try out some of the techniques which are available for checking for undesired activity in a computer system. The task requires you to do some detective work on some Unix systems in a DMZ, in order to determine whether undesired activity appears to have taken place and to find out (as far as possible) what has happened. You are required to hand in a report giving a short description of the results which you obtain. Note that all log files have been anonymized, removing any real information about the site where the logs orginate, and that the log files have been preprocessed removing most - but not all - of the irrelevant information. The lab consists of two parts, each of which relates to auditing: 1. Manual audit of service 2. Manual audit of site The log files used for this lab can be downloaded from CampusNet. These are at least in principle plain text files. The reason it is only in principle is that the files may contain unusual control sequences sent of by hackers as part of their attempt to break into the system. The detailed content and format of the http log files is discussed in Apache s web pages starting at: The log formats used are: defaults.log: "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" access.log: "%h %l %u %t \"%r\" %>s %b" The error logs in follows a standard format (see the Web page referred to above), and is not controlled by configuration directives. The level of the error log is set to warn.

2 1. Manual audit of service A manual audit of a service is performed by manually going through the service logs for a longer time period with the purpose of evaluating the service security, detecting unknown attacks and determining if new security mechanisms should be implemented. In this case we have a site running two HTTP servers, and we would like to do an audit on the following files on the hosts, placed in the directory /var/log/httpd/: File /var/log/httpd/access_log /var/log/httpd/error_log /var/log/httpd/default.log Content Attempts to access web server not sent to a domain specific log file Errors in attempts to access web server. Attempts to access the www server sent to the host domain name and not a WWW domain. The two hosts to be audited are: IP address Domain name Function host1.org.not Primary WWW server host4.org.not Secondary WWW server On each host a number of domains, such as are hosted where each domain generates its own log and error files. For this audit we will only look at the logs for accesses directly to the hosts IP addresses or host domain name. As such accesses in most cases give no meaning, all lines in the log files can be seen as a security incident. The problem is to determine if a reaction to the incident is needed. The log files for the two hosts cover several years. The two hosts are running different hardened Unix based systems, and have different logging rules: For the primary server the information in the access_log file has been kept since the service was set into production, while the information in the two other files are kept since the last audit, in this case January 27 th For the secondary server the information in the default.log file has been kept since the service was set into production, while the information in the two other files times out after a few weeks. For the secondary host the access and error logs are therefore only available for November 11th The political reasons for this procedure isn t relevant for the audit.

3 You should try to explain in as much detail as possible about the potential security incidents on October 27th 2007 and September 2nd 2007 on both hosts. Furthermore you should determine if at least one attacker has attacked both hosts on the same day, and give date and originating IP number of that attack. You should also determine if at least one buffer overrun attempt has been made on each of the two hosts, and in that case determine if the implemented security mechanisms on the two hosts were sufficient to counter the attacks. In all cases you should give arguments for why and how you have come to your conclusions. On the primary host something extraordinary happened in July and August Please explain in as much detail as possible what resulted in the unusual log entries. Since the log files are rather repetitive, you do not need to explain each individual line in both the logs, but should concentrate on the main types of entry and their significance for the security of the server. You are encouraged to look on the Web and in any other sources which you can get access to in order to discover suitable explanations.

4 2. Manual audit of site A manual audit of a site is performed by manually going through the logs for a shorter time period with the purpose of evaluating the site security, detecting unknown attacks and determining if new security mechanisms should be implemented. In this case we have a site running four hosts in a DMZ, and we would like to do an audit on the following files on the hosts, placed in the directory /var/log/: File /var/log/messages /var/log/secure /var/log/auditor.log /var/log/ids.log /var/log/auth.log /var/log/ftp.log /var/log/xferlog /var/log/smtpd.log /var/log/httpd/access log /var/log/httpd/error log /var/log/httpd/default.log Content Start and stop of logging, messages about attempts to login and logout, attempt to elevate access level. Security-related messages, such as attempts to use secure login, possible security failures etc. IDS triggers. IDS reactions. Authentication of ssh attempts. Attempts to access ftp server Files moved via ftp server SMTP errors & warnings. Attempts to access web server not sent to a domain specific log file Errors in attempts to access web server. Attempts to access the www server sent to the host domain name and not a WWW domain. The essential components on the DMZ are: IP address Domain name Function inner firewall sysadmin firewall /29 subnet used for net monitoring host1.org.not Primary WWW server Primary FTP server host2.org.not IDS director host3.org.not Secondary mail gateway Network monitor (subnet) host4.org.not Secondary WWW server Secondary FTP server Primary mail gateway All 4 hosts are running IDS agents and local filtering firewalls. Mail logs handled by filtering software in gateways. Logs originating in inner, outer and sysadmin firewalls, and other hosts or services not mentioned above are excluded from this audit.

5 As the different hosts runs different services, the different hosts only have some of the mentioned log files, and in some situation some of the log files could be empty, as there may not have been any relevant incidents to log on that date. Also the same information may be shown in several of the log files, as both monitors and agents generate logs. The network monitor places its findings in the secure log on host3. The IDS will automatically change the security rules on all hosts as a result of the detected attack attempts. These rules are evaluated manually and if needed corrected at regular intervals. You should try to explain in as much detail as possible about the potential security incidents on November 11th 2007 on all hosts and the subnet being monitored by host3. Furthermore you should determine all potential attacks on the hosts, and for each attack argument if the attack has been attempted on more than 1 host. Note that the attack could be distributed, so the originating IP of the attack may not be the same on all hosts. You should also give an assessment of efficiency of the implemented security mechanisms. In all cases you should give arguments for why and how you have come to your conclusions. Since the log files are rather repetitive, you do not need to explain each individual line in both the logs, but should concentrate on the main types of entry and their significance for the security of the server. You are encouraged to look on the Web and in any other sources which you can get access to in order to discover suitable explanations. 3. Laboratory Work In order to complete the analysis of log files you need to be able to extract information from the text files. The Unix commands grep and wc may be helpful for this purpose. 4 Reporting your results You should present your analysis of what has happened at the site in the two cases described above in a short report. The report should be handed in (i.e. placed in one of the "letter boxes" for course in the entrance to B.322) before on Monday December 3rd 2007.

Example. Section: PS 709 Examples of Calculations of Reduced Hours of Work Last Revised: February 2017 Last Reviewed: February 2017 Next Review:

Example. Section: PS 709 Examples of Calculations of Reduced Hours of Work Last Revised: February 2017 Last Reviewed: February 2017 Next Review: Following are three examples of calculations for MCP employees (undefined hours of work) and three examples for MCP office employees. Examples use the data from the table below. For your calculations use