Fundamentals of
Linux Platform Security
Security Training Course
Dr. Charles J. Antonelli
The University of Michigan
2012
Fundamentals of
Linux Platform Security
Module 5
Logging Infrastructures
Roadmap
•
Motivation
•
Challenges
•
Syslog
•
Centralized Logging
Motivation
•
Administration & debugging
•
Detect & analyze security & performance
incidents
•
Auditing
•
Regulatory requirements
HIPAA, SOX, PCI, GLBA, …
4
10/12 cja 2012
Example
Jan 02 16:19:45 host.example.com rpc.statd[351]: gethostbynameerror for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿bffff750 8 0 4 9 7 1 0 9 0 9 0 9 0 9 0 6 8 7 4 6 5 6 7 6 2 7 4 7 3 6 f 6 d 6 1 6 e 7 9 7 2 6 5 2 0 6 5 2 0 7 2 6 f 7 2 2 0 7 2 6 f 6 6 b f f f f 7 1 8 bffff719 bffff71a b f f f f 7 1 b _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ! _ _ ! _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 5 10/12 cja 2012
Challenges
•
Log generation & storage
•
Log CIA
CEE - Coming soon?
Common Event Expression
•
Standardizes the way computer events are described,
logged, and exchanged
Create an event expression taxonomy for uniform and precise log definitions that lead to a common event representation. Create logging syntax utilizing a single data dictionary to
provide consistent event specific details.
Standardize flexible event transport mechanisms to support multiple environments.
Propose log recommendations for the events and attributes devices generate.
•
http://cee.mitre.org/language/1.0-beta1/overview.html
•
(August, 2012)
7 10/12 cja 2012syslog
•
UNIX/Linux logging daemon
facility (origin) & priority (importance)
log entry accepted by daemon
logged according to config file
•
Windows third-party tools
Windows event log -> syslog
http://www.eventreporter.com/
http://www.winagents.com/
syslog -> Windows
http://www.winsyslog.com/en/
8 10/12 cja 2012syslog
•
LogAnalyzer (née phpLogCon)
Front end for searching, reviewing and analyzing event data Data sources
syslog, rsyslog, WinSyslog log files MySQL databases
syslog
•
Splunk
Indexes log file data, also config files, arbitrary script output Data sources
syslog, rsyslog, WinSyslog log files Config files
Arbitrary script outputs Multiple instances Indexes data
Free for indexing up to 500 MB/day Data display
GUI controls: scroll, search, tooltip, … http://www.splunk.com/
10
10/12 cja 2012
rsyslog
•
The reliable & extended Linux logging daemon
•
Upward-compatible with syslogd
Provides reliable remote logging
TCP – ubiquitous, uses reliable connection
RELP- queues locally until loghost accessible
•
man rsyslogd
•
man 5 rsyslog.conf
•
/etc/rsyslog.conf
11
10/12 cja 2012
rsyslog basic lab
•
Edit log destination
sudo vi /etc/rsyslog.conf
Add line under RULES section
*.debug,mark.debug /var/log/fulllog•
Tell syslog to re-read config file
sudo service rsyslog restart
•
Test the syslog
centralized logging lab
•
Your instructor will provide the identity of a
central logging host
pst.merit.edu
•
Edit local /etc/rsyslog.conf
Add forwarding rule with remote host
*.* @pst.merit.edu
•
Tell local syslog to re-read config file
sudo service rsyslog restart
•
Test with logger
13 10/12 cja 2012
Relay Architecture
14 10/12 cja 2012Log Reduction
•
Make three piles
ignore – don’t want to see these, ever
baseline – aren’t likely to contain time-critical
security information
Log Reduction
•
A simple first step
cut -f5- -d\ /var/log/fulllog | sed -e s/[0-9]
[0-9]*/###/g | sort | uniq -c | sort -nr
•
Use script in /usr/local/lab/syslog/reduce
16
10/12 cja 2012
Baselining I
•
Construct a baseline
Measure set of known data to compute range of
normal values
Examples
Network traffic by protocol
Logins/logouts
Accesses of admin accounts
DHCP address management
DNS requests
Amount of log data/day
Number of processes running
17
10/12 cja 2012
Baselining II
•
Compare against baseline
Anomaly detection
detecting things you haven t seen before
Thresholding
identifying data that exceed a given baseline
Windowing
Log parsing tools
•
swatch
•
logwatch
19 10/12 cja 2012swatch lab
•
Examine man page
man swatch
•
Copy sample rule
cp /usr/local/lab/swatch/sample.swatchrc ~lab/.swatchrc
Examine sample rule
•
Start swatch
sudo /usr/local/bin/swatch -c ~lab/.swatchrc
•
Trigger swatch
Start a new terminal window logger Hello, World!
•
Experiment with different rules
20
10/12 cja 2012
log parsing lab
•
Examine man page
man logwatch
•
Examine config and service files
System-wide
Maintaining log files
•
Log files expand to fill available space
•
Control by
rotation
switch over to a new log file periodically overwrite oldest log file
• logrotate
needs logging facility s cooperation /sbin/killall -HUP facility copytruncate
•
man logrotate
•
/etc/logrotate.conf
•
/etc/logrotate.d/
22 10/12 cja 2012log analysis lab
•
Enable httpd
sudo service httpd start
•
Install LogAnalyzer (1)
cd; cp /usr/local/lab/loganalyzer/ loganalyzer-3.4.5.tar.gz . tar zxf loganalyzer-3.4.5.tar.gz cd loganalyzer-3.4.5 less Install 23 10/12 cja 2012log analysis lab
•
Install LogAnalyzer (2)
sudo cp -r src/* /var/www/html sudo touch /var/www/html/config.php sudo chmod 666 /var/www/html/config.php
sudo chcon -hR -t httpd_sys_script_rw_t /var/www/html
•
Install LogAnalyzer (3)
sudo setfacl -m u:apache:r /var/log/messages cp /usr/local/lab/loganalyzer/lpspol_log.te . checkmodule -M -m -o lpspol_log.mod lpspol_log.te semodule_package -o lpspol_log.pp -m lpspol_log.mod sudo semodule -i lpspol_log.pp
log analysis lab
•
Install LogAnalyzer (4)
Browse to http://localhost/
Click the word “here” in the Critical Error Notice Accept all defaults except:
Step 7 – Set Syslog file to /var/log/messages
•
Install LogAnalyzer (5)
sudo chmod 644 /var/www/html/config.php sudo restorecon -R /var/www/html
•
Run LogAnalyzer!
Browse to http://localhost/
•
When done with lab:
sudo setfacl -b /var/log/messages
25
10/12 cja 2012
References
• Abe Singer and Tina Bird, Building a Logging Infrastructure, USENIX Association, ISBN 1-931971-25-0,
2004.
• The SANS 2007 Log Management Market Report
http://www.sans.org/reading_room/analysts_program/LogMgt_June07.pdf (accessed April 2010)
• Common Event Expression (Anton Chuvakin, cee@mitre.org)
http://cee.mitre.org/docs/Common_Event_Expression_White_Paper_June_2008.pdf (accessed April 2010)
• Karen Kant and Murugiah Souppaya,
Guide to Computer Security Log Management," NIST Publication 800-92, September 2006.
• LogAnalyzer Documentation, http://loganalyzer.adiscon.com/doc/manual.html (accessed December 2010).
• http://loganalyzer.adiscon.com/
• http://www.splunk.com/
26