IS3440 Linux Security Unit 9 Linux System Logging and Monitoring

Class Agenda 5/11/16 Covers Chapter 12 and 13 Unit 9 Quiz 4 Learning Objectives Discussion on Lab Activities. Lab will be perform in class. Break Times as per School Regulations. Reminder: Please try to complete the Projects. The Final project due on Unit 11. Final Exams on unit 11.

Learning Objective Establish a system baseline with monitoring and logging to detect anomalies.

Key Concepts Local and remote logging File and data integrity checkers Tools to monitor open ports Security testing tools Linux system monitoring within a virtual machine (VM) environment

EXPLORE: CONCEPTS

Monitoring systems-Linux Audit system Linux Audit system provides a way to track security-relevant information on your system. Audit generates log entries Determine the violation of the security policy Requirements of certifications or compliance

⁠Use Cases of system audit Track files and directory has been accessed, modified, executed. Generate logs entry when particular system call is used. Recording commands run by a user Recording security events Searching for events Running summary reports Monitoring network access

Audit Service Install the service with the yum install audit command. Configure the service to run on boot with chkconfig auditd on. Use auditctl command to create audit rules. Use ausearch command to search for activity in the audit rules.

Logwatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Logwatch is being used for Linux and many types of UNIX

Logwatch It is a program written in Perl scripting language that consolidates information from various log files and creates a report. In Fedora, it is installed by default and runs daily. Its main configuration file is /etc/logwatch/conf/logwatch.conf. Its configuration allows to set range of dates from the log files. By default, it reads logs from the previous day. The reporting level of activity can be set as low, medium, or high.

Used: analyzing security unusual activity in the syslog Logcheck Logcheck is a software package that is designed to automatically run and check system log files for security violations and unusual activity. Used: analyzing security unusual activity in the syslog to monitoring Apache log files for errors caused by PHP scripts or other problems.

Logcheck It is used mostly on Debian-based systems, such as Ubuntu. By default, it runs every hour and upon a reboot. Its main configuration file is /etc/logcheck/logcheck.conf. The log files to monitor are set in the /etc/logcheck/logcheck.logfiles file. It supports paranoid, server, and workstation levels of output.

File Integrity Checkers 11/15/2018 File Integrity Checkers Tripwire Advanced Intrusion Detection Environment (AIDE) Chkrootkit Rootkit Hunter (rkhunter) Tripwire Stores a security policy containing rules for all files to be checked. When a file changes, Tripwire compares it against the checksum and fires an alert. Advanced Intrusion Detection Environment (AIDE) Developed as a replacement for Tripwire Works within the same concept as Tripwire Chkrootkit Checks system binaries for modifications Checks other files as well for rootkits and worms known to Linux Rkhunter Checks for rootkits and other vulnerabilities (c) ITT Educational Services, Inc.

EXPLORE: PROCESSES

Enabling ModSecurity on Fedora Step 1: Install ModSecurity by typing the following command: Optional Step: Define custom rules in addition to the base rules. Step 2: In a text editor, open the /etc/httpd/modsecurity.d/modsecurity_localrules.conf file. Step 3: Type custom rules. Step 4: Save and exit. Step 5: Start the Apache Web server using the following command: [jdoe@is418 root]$ su -c 'yum install mod_security' [jdoe@is418 root]$ su -c 'service httpd start'

EXPLORE: ROLES

Port Monitoring and Log Configuration Indexes and monitors ports Investigates unauthorized ports Log configuration: Configures logs on local and remote logging servers and runs log scanners, such as logwatch

ModSecurity Filters each Hypertext Transfer Protocol (HTTP) request to the Apache Web server Reads the request header and body content to pass, allow, deny, redirect, and log HTTP request based on predefined rules

EXPLORE: CONTEXTS

Remote Monitoring and Logging Used to consolidate monitoring and logging of all servers for easier and more effective monitoring of computer systems in a network Linux system administrator monitors from a central location Logging and monitoring server Linux system logs Firewall logs

EXPLORE: RATIONALE

Importance of a Baseline It establishes anomalies. It ensures computer system availability with regards to an increased network traffic, hard drive usage, and potential hardware problems.

Host-Based Intrusion Detectors Provide a solution to the “needle in the haystack” problem Provide a layer of security Help establish a baseline for files, processes, and ports

Summary In this presentation, the following concepts were covered: Audit service, logwatch, and logcheck File integrity checkers Remote monitoring and logging Port monitoring, log configuration, and ModSecurity Importance of a baseline and host-based intrusion detectors

Assignments and Quiz Unit 9 Quiz 4 Lab 9.2 Implement Best Practices for Security Logging & Monitoring