Linux system security Log analysis case

When we use the above method to install the Linux server and some basic settings, our server should be said to be relatively safe. But there will always be hackers who can hack into our system using the system administrator's negligence in a variety of ways. Their movements are recorded in the system log, although they may be able to change the log information, and even use their own programs to replace the system itself, the command process, but through the log we can always find some clues. Let's talk about system accounting and system log management in Linux environment and how to use some tools to manage log information more conveniently and efficiently.

1 System Accounting

Initially developed system accounting for tracking user resource consumption, from the user account to extract the cost of the target. Now we can use it for security purposes and provide us with valuable information about the various activities that occur in the system.

System accounting is mainly not two categories:

1) Connection Accounting

Connection accounting is the activity that keeps track of current user conversations, user logins, and exits. Use the utmp (Dynamic user dialog) and wtmp (Login/exit Logging) tools in Linux systems to complete this accounting process. The Wtmp tool maintains both reboot and system state change information. These tools are refreshed and maintained by various programs, so there is no need for special background processes or programs. However, the utmp and wtmp output file must exist and the connection accounting will be closed if the files do not exist. All data related to Utmp and wtmp will be kept in/var/run/utmp and/var/log/wtmp, respectively. These files are owned by the user. The data in these files is not readable by the user, but there are also tools that can be converted into readable form.

DUMP-UTMP can convert the connection accounting data into readable ASCII format data.

The AC command provides approximate statistics about user connections, and we can use AC commands with flags D and P. Flag D shows the total connection statistics for the day, and flag p shows the connection time for each user. This statistical approach is helpful in understanding the user situation associated with the intrusion detection and other activities. Last and who are the most common commands that are used regularly for security purposes.

The last command provides logon time for each user, exit logon time, login location, reboot system and run level change information. LAST-10 indicates that the most recent output for last is 10 messages. By default, last lists the changes to each connection and run level recorded in/var/log/wtmp. From a security perspective, the last command provides a way to quickly view the activity of a particular system connection. It is a good practice to observe the output of the day, from which you can catch exception entries. The-x option of the last command notifies the system of changes in the level of operation.

The WHO command has the primary role of reporting the user who is currently logged on, the login device, the Telnet host name, or the X display value of the xwindows used, the session idle time, and whether the session accepts write or talk information.

For example: WHO-IWH output results:

USER MESG line Login-time IDLE from
Denny-tty1 Feb 08:42 Old
This means that the user, Denny, cannot accept write or talk information, and log on February 18 8:42 from Tty1. The security value of this command provides a general picture of the user connection, which also provides a condition for monitoring suspicious activity. Other related commands have the Lastlog command, which reports data about the last login recorded in/var/log/lastlog.

2) Process Accounting

Process accounting is a record of the process activity. The original data is saved in the/var/log/pacct file with permission of 600. The existence of the document is an effective guarantee of process accounting. Unlike connection accounting, process accounting must be open, and the following command is used to set open state.

# ACCTON/VAR/LOG/PACCT
You can use an AutoShape instead of/VAR/LOG/PACCT, but you must remember this file and set appropriate permissions. You must execute the command every time you boot, and you can enter the following script in/etc/rc.d/rc.local:

# Initiate process account
if [-x/sbin/accton]
Then
/sbin/accton/var/log/pacct
echo "Process accounting initiated"
Fi
Once the process accounting is configured in the system, 3 commands are used to interpret the user-readable raw data in the/VAR/LOG/PACCT. These commands are DUMP-ACCT, which are exactly like Dump-utmp, the SA command is used to count the approximate status of system process accounting, and the last one is that the Lastcomm command lists the commands that the system executes.

1 SA command

As with the AC command, SA is a statistical command. This command can get a rough picture of how each user or each command process is used, and provides consumption information for system resources. To a large extent, SA is also a billing command that is useful for identifying special users, especially for suspicious commands that are used by special users. In addition, because of the large amount of information, it is necessary to process scripts or programs to filter them.

You can use such commands to restrict the user individually:

# Sa-u |grep Joe
Joe 0.00 CPU Bash
Joe 0.00 CPU LS
Joe 0.01 CPU LS
Joe 0.01 CPU Lastcomm
Joe 0.01 CPU Tcpdump
Joe 0.01 CPU reboot
The output turns from left to right: User name, CPU time seconds, command (up to 16 characters).

2 Lastcomm Command

Unlike the SA command, the LASTCOMM command provides output for each command, while printing the time stamp associated with executing each command. In this regard, Lastcomm is more secure than SA.

The Lastcomm command uses the command name, user name, or terminal name as a variable. This command can query the process accounting database. The output of Lastcomm Joe is shown below, with each line representing the execution of the command, from left to right: the user, the device, the number of CPU times used, and the date and time the command was executed.

# Lastcomm Joe
Reboot Joe Ttyp1 0.01 secs Fri Feb 26 18:40
Tcpdump Joe ttyp1 0.01 secs Fri Feb 26 18:39
Lastcomm Joe ttyp1 0.01 secs Fri Feb 26 18:32
LS Joe ttyp1 0.01 secs Fri Feb 26 18:30
LS Joe ttyp1 0.00 secs Fri Feb 26 18:28
Bash Joe ttyp1 0.00 secs Fri Feb 26 18:25

If the system is compromised, do not trust the information recorded in Lastlog, Utmp, Wtmp, PACCT, but do not ignore it, as the information may have been modified. It is also possible that someone has replaced the WHO procedure to deceive the people.

In general, process accounting can work effectively after certain suspicious activities have been identified. Use Lastcomm to isolate user activity or execute commands at specific times. However, use this command must be set to open state.

Basically,/var/log/pacct,/var/run/utmp,/VAR/LOG/PACCT is a dynamic database file. Where the/VAR/LOG/PACCT and/var/log/wtmp files increase as entries are added and modified. The problem is that these files are in a dynamically increasing state, so that they become a lot bigger.

We can solve the problem by using a program called Logrotate, which reads the/etc/logrotate.conf configuration file, which tells Logrotate to read the files in the/ETC/LOGROTATE.D directory. It can be used to set the log file cycle time.

2 System Log

Use a variety of log files under Linux, some for special purposes, such as:/var/log/xferlog information for logging File Transfer Protocol FTP. Other log files, such as the/var/log/messages file, typically contain entries for many system and kernel tools. These log files provide information for the security status of the system.

We mainly explain two log daemons-syslog and klogd--and briefly describe other other log files that are generated by the Linux operating system. The goal is to provide basic configuration.

2.1 Syslog System Log Tool

The Syslog tool is used in most Linux systems and is flexible enough to allow the system to take different activities based on different log entries. The following is a detailed discussion of how the syslog works, as well as the configuration in the configuration file/etc/syslog.conf, and discusses various ways to work with syslog flexibility and functionality.

1) Overview

Very simply, the Syslog tool consists of a daemon. It accepts log information for access to the system and processes the information according to the instructions in the/etc/syslog.conf configuration file. program, daemon, and kernel provide log information for accessing the system. Therefore, any program that wants to generate log information can generate this information to the Syslog interface call.

Typically, Syslog accepts information from various functions of the system, each of which includes an important level. The/etc/syslog.conf file notifies syslogd how to report information based on device and information importance levels.

2) etc/syslog.conf

The/etc/syslog.conf file uses the following form

Facility.level Action
Blank lines and lines that begin with # can be ignored. The Facility.level field is also called Seletor. You should use one or more tab keys to separate facility and action. Most Linux uses these spaces as delimiters. Now analyze the three elements in/etc/syslog.conf.

FACILITY Specifies the Syslog feature, which mainly includes the following:

Auth the certification activity reported by PAM_PWDB.
Authpriv includes privileged information, such as user name, for authentication activities
Cron information about cron and at.
Daemon information related to the inetd daemon.
Kern kernel information, first passed through KLOGD.
LPR information about the print service.
Mail Mail-related information
Mark Syslog internal functionality for generating timestamps
Information from news server
Syslog-generated information by syslog
User-generated information by the users program
UUCP information generated by UUCP
Local0----LOCAL7 is used with custom programs, such as using LOCAL5 as an SSH feature
* Wildcard symbol for all functions except Mark
The priority corresponding to each function is in a certain order, Emerg is the highest, followed by alert, and so on. By default, the level specified in the/ETC/SYSLOG.CONF record is the level and the higher level. If you want to use a determined level, you can use two operators! (unequal) and =.

User.=info

Indicates to notify the syslog to accept all user functionality information at the info level.

The syslog level is as follows:

Emerg or panic the system is not available
Alert requires immediate modification of conditions
Crit error conditions that prevent certain tools or subsystem features from being implemented
Err Block tool or some subsystem partial functionality implementation error condition
Warning Alert Information
Notice common conditions of importance
Info information provided by the message
Debug other information that does not contain function conditions or problems
None no important level, usually used for scheduling errors
* All levels, except none
The action field represents a lot of flexibility, in particular, the role of a name pipe can be used to make syslogd generate post processing information.

Syslog mainly supports the following activities

file specifies the absolute path
Terminal or print complete serial or parallel device markers
@host a remote log server
Username send the message to the specified user using write
Named pipe specifies the absolute path to the FIFO file created using the Mkfifo command.

3) invoke the SYSLOGD daemon

The syslog daemon was invoked by the/etc/rc.d/init.d/syslog script at run Level 2, and the default option is not used. But two options------------are useful.

If you are going to use a log server, you must call Syslogd-r. By default, Syslog does not accept information from remote systems. When the-r option is specified, SYSLOGD will listen for UDP packets coming in on port 514.

If you also want the log server to be able to transfer log information, you can use the-H flag. By default, SYSLOGD ignores/etc/syslog.conf entries that send log information to another system from one remote system.

4) KLOGD Daemon process

The KLOGD daemon obtains and records the Linux kernel information. Typically, SYSLOGD records all the information from KLOGD, but if you call Klogd with the-f filename variable, KLOGD records all the information in filename instead of to syslogd. When another file is specified for logging, Klogd writes all levels or precedence to the file. There is no configuration file similar to/etc/syslog.conf in the KLOGD. The advantage of using KLOGD to avoid using SYSLOGD is that you can find a large number of errors. If someone invades the kernel, use KLOGD to modify the error.

5) Other logs

Additional log files can be found in/var/log and in different versions of the system and in the applications that you configure. Of course,/etc/syslog.conf lists all the log file names and locations that are managed by SYSLOGD. Other logs are managed by other applications. For example, in Redhat6.2, Apache server generates/var/log/htmlaccess.log files to record customer access, generating/var/log/httpd/error.log files to find errors outside of syslog.

The information log file/var/log/cron maintained by the Cron tool. When the Linuxconf tool records system reconfiguration information, a log file such as/var/log/nerconf.log is generated. Samba maintains its log information in/var/log/samba.

In addition, because SYSLOGD may lose information when the system is very busy, you can replace the syslog with Cyclog.