Linux system security log

2007-04-1310: 36: 37 type: LINUX record: This document describes system accounting and system log management in Linux and how to use some tools to manage log information more conveniently and effectively. When we use the above method to install the Linux server and some 2007-04-13 10:36:37

Category: LINUX

Reprinted

We will mainly talk about system accounting and system log management in Linux and how to use some tools to manage log information more conveniently and effectively.

After we have installed the Linux server and made some basic settings using the above method, our server should be said to be safer. However, there are still some hackers who can exploit the system administrator's negligence to intrude into our system in various ways. Every action they make will be recorded in the system logs, even though they may be able to change the log information and even replace the command programs of our system with their own programs, however, we can still find some clues through logs. Next we will focus on the system accounting and system log management in Linux and how to use some tools to manage log information more conveniently and effectively.

1. system accounting

The initial system accounting is used to track the consumption of user resources and extract the cost from the user account as the destination. Now we can use it for security purposes and provide us with valuable information about activities that occur in the system.

There are two types of system accounting:

1) connection accounting

Connection accounting is an activity that tracks the current user conversation, user logon, and logout. In Linux, use the utmp (dynamic user dialog) and wtmp (logon/logout logging) tools to complete this accounting process. The Wtmp tool also maintains reboot and system status change information. Various programs refresh and maintain these tools, so no special background processes or programs are required. However, utmp and wtmp output result files must exist. if these files do not exist, connection accounting is disabled. All data related to utmp and wtmp will be stored in/var/run/utmp and/var/log/wtmp respectively. These files are ultimately owned by users. The data in these files is unreadable, but some tools can be converted into readable forms.

Dump-utmp can convert the linked accounting data to readable ASCII data.

The ac Command provides approximate statistics about user connections. we can use the ac command with the flag d and p. Mark d shows the total connection statistics for one day, and Mark p shows the connection time of each user. This statistical method is helpful for understanding the user information related to intrusion detection and other activities. Last and who are the most commonly used commands for security reasons.

The last Command provides information about the logon time, logout time, logon location, and system and operation level changes of each user. Last-10 indicates that the maximum output result of last is the last 10 messages. The missing time last field lists the changes in each connection and running level recorded in/var/log/wtmp. From the security perspective, The last Command provides a way to quickly view the connection activities of a specific system. It is a good habit to observe the daily output results and capture abnormal input items. The-x option of the Last command can notify the system of changes in the running level.

The who command is used to report the currently logged-on user, logon device, remote logon host name, or the Xwindows X display value, idle session time, and whether the session accepts write or talk information.

For example, the output result of who-iwH:

USER     MESG    LINE   LOGIN-TIME      IDLE    FROMDenny      -     tty1   Feb 18 08:42    old

This means that the user Denny cannot accept the write or talk information, and will log on from tty1 at on June 1. The security value of this command provides general conditions for user connection, which also provides conditions for monitoring suspicious activities. Other related commands include the lastlog command, which reports the last logon data recorded in/var/log/lastlog.

2) process accounting

Process accounting is a record of process activity. The original data is stored in the/var/log/pacct file, and the permission is 600. The existence of this file is an effective guarantee for process accounting. Unlike connection accounting, process accounting must be enabled. use the following command to set the opening status.

#    accton  /var/log/pacct

You can use a self-selected file instead of/var/log/pacct, but you must remember this file and set the appropriate permission. You must execute this command during each boot. you can enter the following script in/etc/rc. d/rc. local:

#  initiate  process accountif  [ -x  /sbin/accton  ]then/sbin/accton   /var/log/pacctecho  "process  accounting  initiated"fi

Once process accounting is configured in the system, three commands are used to explain the non-user-readable raw data in/var/log/pacct. These commands are dump-acct, which is similar to dump-utmp. the sa command is used to calculate the general information of system process accounting. The last one is the lastcomm command, which lists the commands executed by the system.

1 sa command

Like the ac command, sa is a statistical command. This command can obtain the general usage information of each user or the process of each command, and provides the consumption information of system resources. To a large extent, sa is a billing command, which is very useful for identifying special users, especially suspicious commands used by known special users. In addition, because of the large amount of information, you need to process scripts or programs to filter the information.

You can use the following command to restrict users:

#    sa -u |grep joejoe     0.00   cpu   bashjoe     0.00   cpu   lsjoe     0.01   cpu   lsjoe     0.01   cpu   lastcommjoe     0.01   cpu   tcpdumpjoe     0.01   cpu   reboot

The output result is from left to right: user name, CPU usage time (in seconds), and command (up to 16 characters ).

2 lastcomm command

Unlike the sa command, the lastcomm Command provides the output results of each command and prints the timestamps related to executing each command. In this regard, lastcomm is more secure than sa.

The lastcomm command uses the command name, user name, or terminal name as the variable. This command can query the process accounting database. The output result of lastcomm joe is displayed below. each line indicates the command execution status, from left to right: user, device, cpu time in seconds, command execution date and time.

#   lastcomm joereboot     joe    ttyp1    0.01    secs  Fri  Feb 26  18:40tcpdump   joe    ttyp1    0.01    secs  Fri  Feb 26  18:39lastcomm  joe    ttyp1    0.01    secs  Fri  Feb 26  18:32ls        joe    ttyp1    0.01    secs   Fri  Feb 26  18:30ls        joe    ttyp1    0.00    secs   Fri  Feb 26  18:28bash      joe    ttyp1    0.00    secs   Fri  Feb 26  18:25

If the system is infiltrated, do not trust the information recorded in lastlog, utmp, wtmp, or pacct, but do not ignore it because the information may have been modified. Someone may have replaced the who program to hide their ears.

Generally, process accounting works effectively after suspicious activities are identified. Lastcomm can be used to isolate user activities or execute commands at specific times. However, this command must be set to open.

Basically,/var/log/pacct,/var/run/utmp, and/var/log/pacct are dynamic database files. The/var/log/pacct and/var/log/wtmp files increase with the increase and modification of input items. The problem is that these files are dynamically added, so they become very large to a certain extent.

We can solve this problem through a program named logrotate, which reads/etc/logrotate. conf configuration file, which tells logrotate to read/etc/logrotate. d directory. You can use it to set the log file cycle time.

Back to top

2 System logs

Use various log files in Linux, some of which are used for some special purposes. for example,/var/log/xferlog is used to record file transfer protocol FTP information. Other log files, such as/var/log/messages, usually contain input items for many systems and kernel tools. These log files provide information about the security status of the system.

We mainly explain two log daemon, syslog and klogd, and briefly describe other log files generated by the Linux operating system. The purpose is to provide basic configuration information.

2.1 syslog System Log tool

Syslog is used in most Linux systems. it is quite flexible and enables the system to take different activities based on different log input items. The working mechanism of syslog and the configuration in the configuration file/etc/syslog. conf are discussed in detail below. the methods for working with syslog flexibility and functionality are also discussed.

1) Overview

The syslog tool is very simple. it consists of a daemon. It can accept the log information accessing the system and process the information according to the instructions in the/etc/syslog. conf configuration file. Program, the Daemon process and kernel provide the log information for accessing the system. Therefore, any program that wishes to generate log information can call the syslog interface to generate this information.

Generally, syslog receives information from various functions of the system. each information includes important levels. The/etc/syslog. conf file notifies syslogd how to report information based on the device and information importance level.

2) etc/syslog. conf

The/etc/syslog. conf file uses the following format:

facility.level    action

Blank rows and rows starting with # can be ignored. The Facility. level field is also called seletor. You should use one or more tabs to separate facility and action. Most Linux systems use these spaces as separators. Analyze the three elements in/etc/syslog. conf.

Facility specifies the syslog function, which mainly includes the following:

Auth authentication activities reported by pam_pwdb. Authpriv information related to cron and at for authentication activities including privileged information such as user names. Daemon information related to the inetd daemon. Kern kernel information is first transmitted through klogd. Lpr information related to the print service. Mail and email-related information mark syslog internal function is used to generate timestamp news information from the news server syslog information generated by syslogs user information generated by user programs uucp information generated by uucp local0 ---- use local7 with a custom program, for example, use local5 as the ssh function * wildcard represents all functions except mark

Priority corresponding to each function is arranged in a certain order, emerg is the highest level, followed by alert, and so on. Lack of time, the level specified in the/etc/syslog. conf record is this level and higher level. If you want to use a definite level, you can use two operators! (Not equal) and =.

User. = info

To notify syslog to accept all user function information at info level.

The syslog level is as follows:

Emerg or panic this system is unavailable alert conditions that need to be modified immediately crit prevents certain tools or subsystems from implementing the wrong condition err blocking tool or some subsystem functions implementing the wrong condition warning information notice important common condition info messages that provide information debug messages do not contain function conditions or other information of the problem none there is no importance level, usually used for troubleshooting * all levels except none

The activity represented by the action field has a lot of flexibility. in particular, you can use the name pipeline to enable syslogd to generate post-processing information.

Syslog mainly supports the following activities:

File specifies the absolute path of the file terminal or print full serial or parallel device identifier @ host remote log server username to send information to the specified user using write named pipe specified to use mkfifo command the absolute path of the created FIFO file.

3) call the syslogd daemon

The syslog daemon is called by the/etc/rc. d/init. d/syslog script at runtime level 2. the options are not used by default. But there are two options-r and-h which are useful.

If you want to use a log server, you must call syslogd-r. By default, syslog does not accept information from the remote system. If the-r option is specified, syslogd listens to UDP packets from port 514.

If you want the log server to transmit log information, you can use the-h flag. Syslogd ignores the/etc/syslog. conf input that sends log information from one remote system to another.

4) klogd daemon

The klogd daemon obtains and records Linux kernel information. Generally, syslogd records all information sent from klogd. However, if you call a klogd with the-f filename variable, klogd records all information in filename instead of transmitting it to syslogd. When another file is specified for logging, klogd writes all levels or priorities to the file. There is no configuration file similar to/etc/syslog. conf in Klogd. The advantage of using klogd to avoid using syslogd is that you can find a large number of errors. If someone intrude into the kernel, you can use klogd to modify the error.

5) other logs

You can find other log files in/var/log, different versions of the system, and your own configured applications. Of course,/etc/syslog. conf lists all log file names and locations managed by syslogd. Other logs are managed by other applications. For example, in Redhat6.2, the apache server generates the/var/log/htmlaccess. log file to record customer access and generates the/var/log/httpd/error. log file to locate errors outside of syslog.

The Information log file/var/log/cron maintained by the cron tool. When the Linuxconf tool records system reconfiguration information, a log file such as/var/log/nerconf. log is generated. Samba maintains its log information in/var/log/samba.

In addition, syslogd may lose information when the system is very busy, so you can replace syslog with cyclog.