Stay Ahead With Linux Security HOWTOs

intrusion detectionlog integritylogging configuration

Enhancing Log Security with Msyslog for Better Intrusion Detection

msyslog: For a cracker to successfully hide her intrusion, she must edit the logs.. When a cracker breaks into a computer, the first step to covering his tracks is to delete the log entries that show anything suspicious. If the logs are edited well and not much is done to the system, it may be months before a system administrator notices that the system has been cracked, or it may even never happen. Because of the importance put on to log files to report what is going on in a system and because of ease of editing log files, they do not help in detecting intrusions as much as they should. Enter msyslog, the obvious solution to the problem of logs not helping in intrusion detection. Msyslog is a syslogd and klogd replacement that encrypts and hashes the log files. With msyslog, crackers will need a significantly more time to hide their tracks, time that they probably does not have. While a cracker can still delete the log file all together, that is a pretty big sign that the box has been broken into, something they don't want. Configuration First, get the software here. After unzipping and untarring it, read the README and INSTALL files. Then, edit the modules.conf file to something similar to this: UNIX=static BSD LINUX=static UDP CLASSIC=static PEO=static REGEX=static MYSQL PGSQL UNIX refers to receiving input from /dev/log. BSD refers to receiving input from the special BSD logging device, /dev/klog. LINUX refers to receiving input from the special Linux logging device. UDP refers to receiving input from other systems on a specific port. CLASSIC refers to the outputting tasks the syslogd normally does. PEO refers to hashing the logs into the PEO-1 and L-PEO algorithms. REGEX refers to allowing output redirection based on a set of regular expressions. MYSQL refers to outputting the logs into a mysql database. PGSQL refers to outputting the logs into a postgresql database. Now run: ./configure --prefix=/usr/local Installation For installation, run: makeclean;make;make install Setup After installing msyslog, there will be directions given to edit /etc/rc.d/init.d/syslog. After editing and saving it, remove the klogd start up and shut down process since msyslog can log kernel messages. Now, move run this command: mv /usr/local/sbin/syslogd /sbin/syslogd Assuming everything worked correctly so far, /etc/syslog.conf must be edited. The changes to syslog.conf will be minimal if all that is needed is encryption and hashes of the log files. To do this, these two lines: *.info;mail.none;authpriv.none /var/log/messages authpriv.* /var/log/secure becomes *.info;mail.none;authpriv.none %peo -l -m md5 -k /var/syslog/.var.log.messages.key %classic /var/log/messages authpriv.* %peo -l -m md5 -k /var/syslog/.var.log.secure.key %classic /var/log/secure The second set of files will be encrypted with the key in /var/syslog and an md5 hash of them made of them. Now, the keys to be used for encryption must be made. Make the keys for the above example like this: /usr/local/sbin/peochk -g -f /var/log/messages -i messagekey0 -m md5 /usr/local/sbin/peochk -g -f /var/log/secure -i securekey0 -m md5 The keys messagekey0 and securekey0 should be stored in a very safe place, like a CD. Start After this, kill both klogd and syslogd and start msyslog using the start up script. Start msyslog like this: /etc/rc.d/init.d/syslog start Integrity Test If there is a possibility that someone has been messing with the logs, run this to check their integrity: /usr/local/sbin/peochk -m md5 -i messagekey0 -f /var/log/messages /usr/local/sbin/peochk -m md5 -i securekey0 -f /var/log/secure If something comes up, chances are much better than not that the logs have been doctored and the systems admin had a really big problem. More Information While there isn't a lot of information (read none as far as I can tell) about msyslog setup and use, there are a few mailing lists that are helpful and msyslogitself comes with excellent documentation. These are the mailing lists Core-SDI provides for msyslog discussion and help. The im_linux.8, om_mysql.8, om_peo.8, om_regex.8, peochk.8, syslog.conf.5, and syslogd.8 man pages more than filled the void of outside documentation.. When a cracker breaks into a computer, the first step to covering his tracks is to delete the log en. cracker, msyslog, successfully, intrusion. . Anthony Pell

Nov 14, 2000 • Anthony Pell How to Learn Tips and Tricks