Fundamentals of Linux Platform Security. Fundamentals of Linux Platform Security. Roadmap. Security Training Course. Module 5 Logging Infrastructures

(1)

Fundamentals of

Linux Platform Security

Security Training Course

Dr. Charles J. Antonelli

The University of Michigan

2012

Fundamentals of

Linux Platform Security

Module 5

Logging Infrastructures

Roadmap

• Motivation

• Challenges

• Syslog

• Centralized Logging

(2)

Motivation

• Administration & debugging

• Detect & analyze security & performance

incidents

• Auditing

• Regulatory requirements



HIPAA, SOX, PCI, GLBA, …

4

10/12 cja 2012

Example

Jan 02 16:19:45 host.example.com rpc.statd[351]: gethostbyname

error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿bffff750 8 0 4 9 7 1 0 9 0 9 0 9 0 9 0 6 8 7 4 6 5 6 7 6 2 7 4 7 3 6 f 6 d 6 1 6 e 7 9 7 2 6 5 2 0 6 5 2 0 7 2 6 f 7 2 2 0 7 2 6 f 6 6 b f f f f 7 1 8 bffff719 bffff71a b f f f f 7 1 b _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ! _ _ ! _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 5 10/12 cja 2012

Challenges

• Log generation & storage

• Log CIA

(3)

CEE - Coming soon?

Common Event Expression

• Standardizes the way computer events are described,

logged, and exchanged

 Create an event expression taxonomy for uniform and precise log definitions that lead to a common event representation.  Create logging syntax utilizing a single data dictionary to

provide consistent event specific details.

 Standardize flexible event transport mechanisms to support multiple environments.

 Propose log recommendations for the events and attributes devices generate.

• http://cee.mitre.org/language/1.0-beta1/overview.html

• (August, 2012)

7 10/12 cja 2012

syslog

• UNIX/Linux logging daemon



facility (origin) & priority (importance)



log entry accepted by daemon



logged according to config file

• Windows third-party tools



Windows event log -> syslog



http://www.eventreporter.com/



http://www.winagents.com/



syslog -> Windows



http://www.winsyslog.com/en/

8 10/12 cja 2012

syslog

• LogAnalyzer (née phpLogCon)

 Front end for searching, reviewing and analyzing event data  Data sources

 syslog, rsyslog, WinSyslog log files  MySQL databases

(4)

syslog

• Splunk

 Indexes log file data, also config files, arbitrary script output  Data sources

 syslog, rsyslog, WinSyslog log files  Config files

 Arbitrary script outputs  Multiple instances  Indexes data

 Free for indexing up to 500 MB/day  Data display

 GUI controls: scroll, search, tooltip, …  http://www.splunk.com/

10

10/12 cja 2012

rsyslog

• The reliable & extended Linux logging daemon

• Upward-compatible with syslogd



Provides reliable remote logging



TCP – ubiquitous, uses reliable connection



RELP- queues locally until loghost accessible

• man rsyslogd

• man 5 rsyslog.conf

• /etc/rsyslog.conf

11

10/12 cja 2012

rsyslog basic lab

• Edit log destination

 sudo vi /etc/rsyslog.conf



Add line under RULES section

*.debug,mark.debug /var/log/fulllog

• Tell syslog to re-read config file

 sudo service rsyslog restart

• Test the syslog

(5)

centralized logging lab

• Your instructor will provide the identity of a

central logging host



pst.merit.edu

• Edit local /etc/rsyslog.conf



Add forwarding rule with remote host

. @pst.merit.edu

• Tell local syslog to re-read config file



sudo service rsyslog restart

• Test with logger

13 10/12 cja 2012

Relay Architecture

14 10/12 cja 2012

Log Reduction

• Make three piles



ignore – don’t want to see these, ever



baseline – aren’t likely to contain time-critical

security information

(6)

Log Reduction

• A simple first step



cut -f5- -d\ /var/log/fulllog | sed -e s/[0-9]

[0-9]*/###/g | sort | uniq -c | sort -nr

• Use script in /usr/local/lab/syslog/reduce

16

10/12 cja 2012

Baselining I

• Construct a baseline



Measure set of known data to compute range of

normal values



Examples



Network traffic by protocol



Logins/logouts



Accesses of admin accounts



DHCP address management



DNS requests



Amount of log data/day



Number of processes running

17

10/12 cja 2012

Baselining II

• Compare against baseline



Anomaly detection



detecting things you haven t seen before



Thresholding



identifying data that exceed a given baseline



Windowing

(7)

Log parsing tools

• swatch

• logwatch

19 10/12 cja 2012

swatch lab

• Examine man page

 man swatch

• Copy sample rule

 cp /usr/local/lab/swatch/sample.swatchrc ~lab/.swatchrc

 Examine sample rule

• Start swatch

 sudo /usr/local/bin/swatch -c ~lab/.swatchrc

• Trigger swatch

 Start a new terminal window  logger Hello, World!

• Experiment with different rules

20

10/12 cja 2012

log parsing lab

• Examine man page



man logwatch

• Examine config and service files



System-wide

(8)

Maintaining log files

• Log files expand to fill available space

• Control by

rotation

 switch over to a new log file periodically  overwrite oldest log file

• logrotate

 needs logging facility s cooperation  /sbin/killall -HUP facility  copytruncate

• man logrotate

• /etc/logrotate.conf

• /etc/logrotate.d/

22 10/12 cja 2012

log analysis lab

• Enable httpd

 sudo service httpd start

• Install LogAnalyzer (1)

 cd; cp /usr/local/lab/loganalyzer/ loganalyzer-3.4.5.tar.gz .  tar zxf loganalyzer-3.4.5.tar.gz  cd loganalyzer-3.4.5  less Install 23 10/12 cja 2012

log analysis lab

• Install LogAnalyzer (2)

 sudo cp -r src/* /var/www/html  sudo touch /var/www/html/config.php  sudo chmod 666 /var/www/html/config.php

 sudo chcon -hR -t httpd_sys_script_rw_t /var/www/html

• Install LogAnalyzer (3)

 sudo setfacl -m u:apache:r /var/log/messages  cp /usr/local/lab/loganalyzer/lpspol_log.te .  checkmodule -M -m -o lpspol_log.mod lpspol_log.te  semodule_package -o lpspol_log.pp -m lpspol_log.mod  sudo semodule -i lpspol_log.pp

(9)

log analysis lab

• Install LogAnalyzer (4)

 Browse to http://localhost/

 Click the word “here” in the Critical Error Notice  Accept all defaults except:

 Step 7 – Set Syslog file to /var/log/messages

• Install LogAnalyzer (5)

 sudo chmod 644 /var/www/html/config.php  sudo restorecon -R /var/www/html

• Run LogAnalyzer!

 Browse to http://localhost/

• When done with lab:

 sudo setfacl -b /var/log/messages

25

10/12 cja 2012

References

•  Abe Singer and Tina Bird, Building a Logging Infrastructure, USENIX Association, ISBN 1-931971-25-0,

2004.

•  The SANS 2007 Log Management Market Report

http://www.sans.org/reading_room/analysts_program/LogMgt_June07.pdf (accessed April 2010)

•  Common Event Expression (Anton Chuvakin, cee@mitre.org)

http://cee.mitre.org/docs/Common_Event_Expression_White_Paper_June_2008.pdf (accessed April 2010)

•  Karen Kant and Murugiah Souppaya,

Guide to Computer Security Log Management," NIST Publication 800-92, September 2006.

•  LogAnalyzer Documentation, http://loganalyzer.adiscon.com/doc/manual.html (accessed December 2010).

•  http://loganalyzer.adiscon.com/

•  http://www.splunk.com/

26