Alerts This Week
Warning Icon 1 677
Alerts This Week
Warning Icon 1 677

Enhancing Log Security with Msyslog for Better Intrusion Detection

Calendar Nov 14, 2000 User Avatar Anthony Pell
2 - 4 min read
General Esm H500
Topics%20covered

Topics Covered

intrusion detection log integrity logging configuration msyslog log encryption syslog replacement
msyslog: For a cracker to successfully hide her intrusion, she must edit the logs. When a cracker breaks into a computer, the first step to covering his tracks is to delete the log entries that show anything suspicious. If the logs are edited well and not much is done to the system, it may be months before a system administrator notices that the system has been cracked, or it may even never happen. Because of the importance put on to log files to report what is going on in a system and because of ease of editing log files, they do not help in detecting intrusions as much as they should.

Enter msyslog, the obvious solution to the problem of logs not helping in intrusion detection. Msyslog is a syslogd and klogd replacement that encrypts and hashes the log files. With msyslog, crackers will need a significantly more time to hide their tracks, time that they probably does not have. While a cracker can still delete the log file all together, that is a pretty big sign that the box has been broken into, something they don't want.

Configuration

First, get the software here. After unzipping and untarring it, read the README and INSTALL files. Then, edit the modules.conf file to something similar to this: 
  UNIX=static
  BSD  LINUX=static
  UDP  CLASSIC=static
  PEO=static
  REGEX=static
  MYSQL  PGSQL

UNIX refers to receiving input from /dev/log. BSD refers to receiving input from the special BSD logging device, /dev/klog. LINUX refers to receiving input from the special Linux logging device. UDP refers to receiving input from other systems on a specific port. CLASSIC refers to the outputting tasks the syslogd normally does. PEO refers to hashing the logs into the PEO-1 and L-PEO algorithms. REGEX refers to allowing output redirection based on a set of regular expressions. MYSQL refers to outputting the logs into a mysql database. PGSQL refers to outputting the logs into a postgresql database.

Now run: 

  ./configure --prefix=/usr/local

Installation

For installation, run: 
  make clean;make;make install

Setup

After installing msyslog, there will be directions given to edit /etc/rc.d/init.d/syslog. After editing and saving it, remove the klogd start up and shut down process since msyslog can log kernel messages. Now, move run this command: 
  mv /usr/local/sbin/syslogd /sbin/syslogd
Assuming everything worked correctly so far, /etc/syslog.conf must be edited. The changes to syslog.conf will be minimal if all that is needed is encryption and hashes of the log files. To do this, these two lines: 
  *.info;mail.none;authpriv.none  /var/log/messages
  authpriv.*                      /var/log/secure
becomes 
  *.info;mail.none;authpriv.none %peo -l -m md5 -k /var/syslog/.var.log.messages.key %classic /var/log/messages
  authpriv.* %peo -l -m md5 -k /var/syslog/.var.log.secure.key %classic /var/log/secure
The second set of files will be encrypted with the key in /var/syslog and an md5 hash of them made of them. Now, the keys to be used for encryption must be made. Make the keys for the above example like this: 
  /usr/local/sbin/peochk -g -f /var/log/messages -i messagekey0 -m md5
  /usr/local/sbin/peochk -g -f /var/log/secure -i securekey0 -m md5
The keys messagekey0 and securekey0 should be stored in a very safe place, like a CD.

Start

After this, kill both klogd and syslogd and start msyslog using the start up script. Start msyslog like this: 
  /etc/rc.d/init.d/syslog start

Integrity Test

If there is a possibility that someone has been messing with the logs, run this to check their integrity: 
  /usr/local/sbin/peochk -m md5 -i messagekey0 -f /var/log/messages
  /usr/local/sbin/peochk -m md5 -i securekey0 -f /var/log/secure
If something comes up, chances are much better than not that the logs have been doctored and the systems admin had a really big problem.

More Information

While there isn't a lot of information (read none as far as I can tell) about msyslog setup and use, there are a few mailing lists that are helpful and msyslog itself comes with excellent documentation. These are the mailing lists Core-SDI provides for msyslog discussion and help. The im_linux.8, om_mysql.8, om_peo.8, om_regex.8, peochk.8, syslog.conf.5, and syslogd.8 man pages more than filled the void of outside documentation.
Your message here