Va-scanCopyright 2002, Marchany Securing Solaris – Using syslogs during an Intrusion Randy Marchany.

Slides:

Advertisements

Similar presentations

Router Configuration PJC CCNA Semester 2 Ver. 3.0 by William Kelly.

Advertisements

Operating-System Structures

Creating a Login Process Creating a users table and a login form that denies access to unauthorized users.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

June 1, 1999Foreground/Background Processing1 Introduction to UNIX H. Foreground/Background Processing.

Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.

Lesson 10-Controlling User Processes. Overview Managing and processing processes. Managing jobs. Exiting/quitting when jobs have been stopped.

Unix Refresher This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

CCNA 2 v3.1 Module 2.

S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.

Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.

1 Semester 2 Module 2 Introduction to Routers Yuda college of business James Chen

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.

1 Chapter 2 ROUTER FUNDAMENTALS By: Tassos Tassou.

1 Chapter Overview Monitoring Server Performance Monitoring Shared Resources Microsoft Windows 2000 Auditing.

1 Chapter Overview Planning an Audit Policy Implementing an Audit Policy Using Event Viewer.

Va-scanCopyright 2002, Marchany Securing Solaris Servers Randy Marchany.

Administering Windows 7 Lesson 11. Objectives Troubleshoot Windows 7 Use remote access technologies Troubleshoot installation and startup issues Understand.

Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.

CIS 218 Advanced UNIX 1 User and System Information CIS 218.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.

Supervisory Control and Data Acquisition (SCADA) Software.

CIS 450 – Network Security Chapter 16 – Covering the Tracks.

The VPO Operator. [vpo_operator] 2 The VPO Operator Section Overview The role of the VPO operator Starting and stopping the Motif GUI The VPO Operator.

FTP Server and FTP Commands By Nanda Ganesan, Ph.D. © Nanda Ganesan, All Rights Reserved.

FORESEC Academy FORESEC Academy Security Essentials (III)

Lesson 17-Windows 2000/Windows 2003 Server Security Issues.

UNIX Commands. Why UNIX Commands Are Noninteractive Command may take input from the output of another command (filters). May be scheduled to run at specific.

Lesson 1-Logging On to the System. Overview Importance of UNIX/Linux. Logging on to the system.

Alarm Network System Supervised by: Dr. Luai Malhis. Prepared by: Mahmoud Musa & Mustafa Assaf.

Va-scanCopyright 2002, Marchany Unit 7 – Solaris Process Control Randy Marchany VA Tech Computing Center.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 2 Module 2 Introduction to Routers.

Unix Security.  Security architecture  File system and user accounts  Integrity management  Auditing and intrusion detection.

Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.

Router Fundamentals PJC CCNA Semester 2 Ver. 3.0 by William Kelly.

Core System Services. INIT Daemon The init process is the patron of all processes. first process that gets started in any Linux/ UNIX -based system.

Security components of the CERN farm nodes Vladimír Bahyl CERN - IT/FIO Presented by Thorsten Kleinwort.

Λειτουργικά Συστήματα - Lab1 Γιάννης Πετράκης. The Operating System  Unix is a layered operating system  The innermost layer is the hardware that provides.

Accessing an ODBC Database. External Data ODBC Command From ACL Project Screen use External Data ODBC Command.

MA194Using WindowsNT1 Topics for the day… WindowsNT Security WindowsNT File System (NTFS) Viewing/Setting Document and Folder Permissions Access Control.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

1 Introduction to Auditing Auditing allows you to track User activities. Microsoft Windows 2000 activities. Windows 2000 records events in the security.

CheckPoint Reporting System for Seismic Surveys Setting Up for Multiple Users December 2012 Mid Point Geo Limited PO Box 7437 Reading Berkshire RG27 7HQ,

Understand Audit Policies LESSON Security Fundamentals.

FTP COMMANDS OBJECTIVES. General overview. Introduction to FTP server. Types of FTP users. FTP commands examples. FTP commands in action (example of use).

Cisco IOS Command Line Interface Honolulu Community College Cisco Academy Training Center Semester 2 Version 2.1.

Integrity Check As You Well Know, It Is A Violation Of Academic Integrity To Fake The Results On Any.

 Introduction  Tripwire For Servers  Tripwire Manager  Tripwire For Network Devices  Working Of Tripwire  Advantages  Conclusion.

5 Copyright © 2008, Oracle. All rights reserved. Testing and Validating a Repository.

CACI Proprietary Information | Date 1 PD² SR13 Client Upgrade Name: Semarria Rosemond Title: Systems Analyst, Lead Date: December 8, 2011.

Prototype Security New Feature: Send Mass & Activity Code.

Xbox Wireless Errors & Troubleshooting. Network: Failed Internet: Failed Xbox LIVE: Failed NAT: Connection Warning.

1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 2 Introduction to Routers.

The Distributed Application Debugger (DAD)

Nicholas Hsiao Critical Log Review Checklist for Security Incidents – By ArcSight Logger For template guidelines or applying this.

Information Security Professionals

User Access and User ID Commands in UNIX

CIT 480: Securing Computer Systems

Introduction to the Junos Operating System

Files Used in the Boot Process

IS3440 Linux Security Unit 9 Linux System Logging and Monitoring

Chapter 27: System Security

Chapter 8: Monitoring the Network

OPS235: Week 1 Installing Linux (Lab1: Investigations 4 - )

Training Module Introduction to the TB9100/P25 CG/P25 TAG Customer Service Software (CSS) Describes Release 3.95 for Trunked TB9100 and P25 TAG Release.

Presentation transcript:

va-scanCopyright 2002, Marchany Securing Solaris – Using syslogs during an Intrusion Randy Marchany

va-scanCopyright 2002, Marchany Introduction  Reference document: “Inspecting your Solaris system and network logs for evidence of intrusions”, improvements/implementations/i003.html improvements/implementations/i003.html  Inspect log files daily  Document unusual entries you find

va-scanCopyright 2002, Marchany Introduction  Investigate each documented abnormality – Can it be explained by an authorized user? – Can it be explained by known system activity? – Can it be explained by known changes to programs?  Report all confirmed evidence of intrusion to your sysadmin (Milko) or

va-scanCopyright 2002, Marchany System Log Files  Most log information is sent to /var/adm/messages.  Mail.debug information is sent to /var/log/syslog or /var/adm/syslog.  Auth.notice aren’t logged by default.  Check /etc/syslog.conf for the exact locations of the system log files.

va-scanCopyright 2002, Marchany System Log Files  /var/adm/messages – Records system console outpu and syslog messages. – Look for unexpected system halts Mar 31 12:48:31 unix: halted by – Look for unexpected system boots – Look for failed su and login commands – Look for unexpected successful su commands

va-scanCopyright 2002, Marchany System Log Files  /var/adm/pacct – Records all commands run by users. Process accounting must be enabled before this file is generated. – lastcomm command will show the commands  /var/adm/aculog – Keeps track of dial-out modems – Look for dial-out records or unauthorized use of dial-out modems

va-scanCopyright 2002, Marchany System Log Files  /var/log/syslog – Contains the sendmail log entries for the system. – TCP Wrapper, portsentry loggers write their entries to this file.

va-scanCopyright 2002, Marchany Process Analysis  Normal System Functions – What processes do you expect to be running on this system?  System Users – Is it normal for each of these users to be using the system at this time of day? – From where are they accessing the system? Is this expected?

va-scanCopyright 2002, Marchany Process Analysis  Executing Processes – How was the process started? By what user? – What is the current status of the process? Running, stopped, suspended, swapped out, exiting? – Is it missing from the processes you expected to be active? – What system setting are in effect for this process.

va-scanCopyright 2002, Marchany Process Analysis  Executing Processes – What options or input arguments is the process executing? Are they valid? – Are the system resources being used consistent with what you expect the process to be using? – What is the relationship between the process and other processes running on the system? Is there a parent-child relationship?

va-scanCopyright 2002, Marchany Process Analysis  Open Files – What files are opened by the process? – Are they authorized to open these files? – Any access to sensitive system files, e.g., password files? – Any unauthorized attempts to open a file? – Any file access errors? – What files are imported or exported?

va-scanCopyright 2002, Marchany Process Analysis  Network Connections – Has the process opened any network connections to external sites? – Have any connection failures been recorded? – Have there been any unexpected connections? – Are there any open network sockets that can’t be attributable to valid processes? – What mode is each socket open? – Are all of the network interfaces operating as expected?