Information Networking Security and Assurance Lab National Chung Cheng University Investigating Unix System.

Slides:

Advertisements

Similar presentations

COEN 250 Computer Forensics Unix System Life Response.

Advertisements

Managing logs with syslog-ng and SWATCH AfNOG 11, Kigali/Rwanda.

Syslog and log files1-1 Syslog and Log Files  From logfiles, you can find m important information m History m Errors/warnings  Logging policies m Reset.

Detecting Intruders from log files and traces Special Intruder Detection Systems (IDS) are now a market niche, and there are many products on the market.

CIS 193A – Lesson3 Vigilance! Logging & Monitoring Syslog Logrotate Logwatch Accounting.

Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.

Unix Refresher This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools.

Syslogd Tracking system events. Log servers Applications are constantly encountering events which should be recorded –users attempt to login with bad.

Information Networking Security and Assurance Lab National Chung Cheng University Nessus A Vulnerability Assessment tool A Security Scanner Information.

Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.

Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.

2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.

Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.

Linux+ Guide to Linux Certification, Second Edition

Lecture 16: UNIX Forensics 6/26/2003 CSCE 590 Summer 2003.

Chapter 3 Unix Overview. Figure 3.1 Unix file system.

NOC TOOLS syslog AfNOG Cairo, SI-E, 2 of 5 Sunday Folayan.

AfChix 2011 Blantyre, Malawi Log management. Log management and monitoring ■ What is log management and monitoring ? ● It's about keeping your logs in.

Linux Networking and Security Chapter 10 File Security.

Maintaining Host Security Logs.  Security logs are invaluable for verifying whether the host's defenses are operating properly.  Another reason to maintain.

Syslog and log files Ameera Jaradat.

Chapter 12 Incident analysis. Overview 2  Sources of information within popular operating systems  Extracting information from specific systems  Creating.

Va-scanCopyright 2002, Marchany Securing Solaris Servers Randy Marchany.

New SA Training Topic 9: Logging, Monitoring, and Performance  Logging  Windows – “Auditing”  Linux – syslog  Monitoring  MRTG  Big Brother  Performance.

O.S security Ge Zhang Karlstad University. Outline Why O.S. security is important? Security schemes in Unix/Linux system Security schemes in windows system.

Mid 1960 ’ s - Multics - proposed by AT&T, Honeywell, GE & MIT; funded by DARPA Thompson & Ritchie create Unix 1978 to 84 - Bill Joy & Chuck Haley.

CIS 218 Advanced UNIX 1 User and System Information CIS 218.

System Monitoring and Automation CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University.

SCSC 455 Computer Security Chapter 4 File Security.

The Saigon CTT Chapter 16 Remote Connectivity. The Saigon CTT  Objectives  Explain : telnet rsh ssh  Configure FTP.

UNIX Technical Audit. UNIX Architecture  Multi-user, multi-processing system  Kernel: Primary control program  Daemons: System control processes Manages.

CIS 450 – Network Security Chapter 16 – Covering the Tracks.

ITI-481: Unix Administration Meeting 3. Today’s Agenda Hands-on exercises with booting and software installation. Account Management Basic Network Configuration.

System Monitoring and Automation. 2 Section Overview Automation of Periodic Tasks Scheduling and Cron Syslog Accounting.

Bugs SATAN scans for It is interesting to look at the bugs SATAN scans for. They are easily detected by the scanners and therefore do not pose a threat.

TELE 301 Lecture 10: Scheduled … 1 Overview Last Lecture –Post installation This Lecture –Scheduled tasks and log management Next Lecture –DNS –Readings:

Day 11 SAMBA NFS Logs Managing Users. SAMBA Implements the ability for a Linux machine to communicate with and act like a Windows file server. –Implements.

Backups, Logging, Troubleshooting. Dates for Last Week of Class Homework 7 – Due Tuesday 5/1 by midnight Labs 7 & 8 – 8 is extra credit – Due Thursday.

Guide to Linux Installation and Administration, 2e1 Chapter 10 Managing System Resources.

Linux Services Muhammad Amer. 2 xinetd Programs  In computer networking, xinetd, the eXtended InterNET Daemon, is an open-source super-server daemon.

Linux Security. See who's logged in 1) w (more information) 2) who (less information)

Generating Reports and Analyzing Logs 黃雁亭陳麗雯廖榆恬 1.

Ch11: Syslog and Logfiles Presented by: Apichana Thiantanawat 06/11/02.

1 Periodic Processes and the cron Daemon The cron daemon is where all timed events are initiated. The cron system is serviced by the cron daemon. What.

Unix Security.  Security architecture  File system and user accounts  Integrity management  Auditing and intrusion detection.

Chapter 3 & 6 Root Status and users File Ownership Every file has a owner and group –These give read,write, and execute priv’s to the owner, group, and.

Lecture 15: UNIX Forensics 6/25/2003 CSCE 590 Summer 2003.

1 LINUX SECURITY. 2 Outline Introduction Introduction - UNIX file permission - UNIX file permission - SUID / SGID - SUID / SGID - File attributes - File.

Cosc 4750 Log files Logging policies Throw away all data immediately Reset log files at periodic intervals Rotate logs files, keeping data for a fixed.

Security components of the CERN farm nodes Vladimír Bahyl CERN - IT/FIO Presented by Thorsten Kleinwort.

COEN 250 Computer Forensics Unix System Life Response.

Unix network Services. Configuring a network interface In Unix there are essentially two commands that are used to enable TCP/IP. ifconfig route.

Lecture – Users and groups

Power of OSSEC By Donovan Thorpe CS 5910 Fall 2010.

Lecture 02 File and File system. Topics Describe the layout of a Linux file system Display and set paths Describe the most important files, including.

Getting Started with Linux

The Linux Kernel About 6 million lines of code

COP 4343 Unix System Administration

Linux 101 Training Module Linux Basics.

Cosc 4750 Log files.

APRICOT 2008 Network Management Taipei, Taiwan February 20-24, 2008

ITIS 3110 IT Infrastructure II

Log management AfNOG 2008 Rabat, Morocco.

Overview of Unix Jagdish S. Gangolly School of Business

IS3440 Linux Security Unit 6 Using Layered Security for Access Control

IS3440 Linux Security Unit 9 Linux System Logging and Monitoring

CIT 485: Advanced Cybersecurity

CIT 470: Advanced Network and System Administration

Adding New Users.

Presentation transcript:

Information Networking Security and Assurance Lab National Chung Cheng University Investigating Unix System

Information Networking Security and Assurance Lab National Chung Cheng University 2 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

Information Networking Security and Assurance Lab National Chung Cheng University 3 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

Information Networking Security and Assurance Lab National Chung Cheng University 4 4W + 1H Who What When Where How

Information Networking Security and Assurance Lab National Chung Cheng University 5 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

Information Networking Security and Assurance Lab National Chung Cheng University 6 Common Directory /var/log/ /usr/adm/ /var/adm/ On the log server Depend on what flavors of Unix you use!!

Information Networking Security and Assurance Lab National Chung Cheng University 7 System log(1/3) Captures events from programs and subsystems within Unix Controlled by /etc/syslog.conf syslogd Can log messages across a network

Information Networking Security and Assurance Lab National Chung Cheng University 8 System log(2/3) The facility Type: auth (security), authpriv, cron, daemon, kern, lpr, mail, mark, news, syslog, user, uucp, local0-7 The priority Level: debug, info, notice, warning, err, crit, alert, emerg The action /etc/syslog.conf

Information Networking Security and Assurance Lab National Chung Cheng University 9 System log(3/3) Time/Date HostName Program and PID Operation IP Address If the action field contain the string ” the use of a remote syslog server

Information Networking Security and Assurance Lab National Chung Cheng University 10 TCP Wrapper A host-base access control service (/etc/inetd.conf) /usr/sbin/tcpd 檢查 /etc/hosts.allow 有無符合的 rules 檢查 /etc/hosts.deny 有無符合的 rules 連線請求 Allow Yes No Yes Deny No Allow

Information Networking Security and Assurance Lab National Chung Cheng University 11 Other Network Logs Example  xferlog Time/DateThe number of seconds that the transfer took The remote host The number of bytes The transferred file The type of file transfer The direction of transfer The access mode

Information Networking Security and Assurance Lab National Chung Cheng University 12 su Command Logs /var/log/auth.log Successful for su Non-successful for su

Information Networking Security and Assurance Lab National Chung Cheng University 13 Logged-on User Logs utmp (who, w), wtmp (last)  Binary file Many common hacker programs, such as zap, can selectively remove entries from these files /var/log/wtmp /var/run/utmp

Information Networking Security and Assurance Lab National Chung Cheng University 14 History file Log all command, along with their command-line options In user’s home directory History file

Information Networking Security and Assurance Lab National Chung Cheng University 15 Some evidence you must care Link your.bash_history to /dev/null Some thing you must care!!

Information Networking Security and Assurance Lab National Chung Cheng University 16 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

Information Networking Security and Assurance Lab National Chung Cheng University 17 grep The item you want to search The location Search the binary file Search the binary file with – a option -r option: recursive mode

Information Networking Security and Assurance Lab National Chung Cheng University 18 grep You can search the entire raw device!!

Information Networking Security and Assurance Lab National Chung Cheng University 19 find Search from the root directory! The regular Expression for “…” Obtaining something detail can man find

Information Networking Security and Assurance Lab National Chung Cheng University 20 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

Information Networking Security and Assurance Lab National Chung Cheng University 21 atime, mtime, ctime Example for capture the specific atime!!

Information Networking Security and Assurance Lab National Chung Cheng University 22 SUID, SGID Allow programs operate with another (higher) privileges Search the suid file!!

Information Networking Security and Assurance Lab National Chung Cheng University 23 Some important file!! Configuration file  /etc/hosts.allow  /etc/hosts.deny  … Startup file  /var/spool/cron/  /usr/spool/cron/  /etc/rc.d  /etc/rc[0-6].d /tmp/  Something suspicious

Information Networking Security and Assurance Lab National Chung Cheng University 24 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

Information Networking Security and Assurance Lab National Chung Cheng University 25 /etc/passwd, /etc/group UID GID The Home directory The login shell /etc/group

Information Networking Security and Assurance Lab National Chung Cheng University 26 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

Information Networking Security and Assurance Lab National Chung Cheng University 27 Something example Use the ps and netstat command to detect the rouge process!!

Information Networking Security and Assurance Lab National Chung Cheng University 28 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

Information Networking Security and Assurance Lab National Chung Cheng University 29 Your open services! When conduct your investigation of the Unix system, your will need to examine all network services as potential access points

Information Networking Security and Assurance Lab National Chung Cheng University 30 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

Information Networking Security and Assurance Lab National Chung Cheng University 31 Something you must care! /etc/hosts.equiv /$HOME/.rhosts Sniffer  dsniff arpredirect Trust Relationship!! HostA HostB

Information Networking Security and Assurance Lab National Chung Cheng University 32 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

Information Networking Security and Assurance Lab National Chung Cheng University 33 rootkits, LKMs What different  Modified or replaced? How to detect  External  Internal

Information Networking Security and Assurance Lab National Chung Cheng University 34 Some tool chkrootkit KSTAT chkrootkit KSTAT