Presentation is loading. Please wait.

Presentation is loading. Please wait.

Va-scanCopyright 2002, Marchany Securing Solaris – Using syslogs during an Intrusion Randy Marchany.

Published byRandolf Walters Modified over 9 years ago

Similar presentations

Presentation on theme: "Va-scanCopyright 2002, Marchany Securing Solaris – Using syslogs during an Intrusion Randy Marchany."— Presentation transcript:

1 va-scanCopyright 2002, Marchany Securing Solaris – Using syslogs during an Intrusion Randy Marchany

2 va-scanCopyright 2002, Marchany Introduction  Reference document: “Inspecting your Solaris system and network logs for evidence of intrusions”, www.cert.org/security- improvements/implementations/i003.html www.cert.org/security- improvements/implementations/i003.html  Inspect log files daily  Document unusual entries you find

3 va-scanCopyright 2002, Marchany Introduction  Investigate each documented abnormality – Can it be explained by an authorized user? – Can it be explained by known system activity? – Can it be explained by known changes to programs?  Report all confirmed evidence of intrusion to your sysadmin (Milko) or abuse@vt.edu.

4 va-scanCopyright 2002, Marchany System Log Files  Most log information is sent to /var/adm/messages.  Mail.debug information is sent to /var/log/syslog or /var/adm/syslog.  Auth.notice aren’t logged by default.  Check /etc/syslog.conf for the exact locations of the system log files.

5 va-scanCopyright 2002, Marchany System Log Files  /var/adm/messages – Records system console outpu and syslog messages. – Look for unexpected system halts Mar 31 12:48:31 unix: halted by – Look for unexpected system boots – Look for failed su and login commands – Look for unexpected successful su commands

6 va-scanCopyright 2002, Marchany System Log Files  /var/adm/pacct – Records all commands run by users. Process accounting must be enabled before this file is generated. – lastcomm command will show the commands  /var/adm/aculog – Keeps track of dial-out modems – Look for dial-out records or unauthorized use of dial-out modems

7 va-scanCopyright 2002, Marchany System Log Files  /var/log/syslog – Contains the sendmail log entries for the system. – TCP Wrapper, portsentry loggers write their entries to this file.

8 va-scanCopyright 2002, Marchany Process Analysis  Normal System Functions – What processes do you expect to be running on this system?  System Users – Is it normal for each of these users to be using the system at this time of day? – From where are they accessing the system? Is this expected?

9 va-scanCopyright 2002, Marchany Process Analysis  Executing Processes – How was the process started? By what user? – What is the current status of the process? Running, stopped, suspended, swapped out, exiting? – Is it missing from the processes you expected to be active? – What system setting are in effect for this process.

10 va-scanCopyright 2002, Marchany Process Analysis  Executing Processes – What options or input arguments is the process executing? Are they valid? – Are the system resources being used consistent with what you expect the process to be using? – What is the relationship between the process and other processes running on the system? Is there a parent-child relationship?

11 va-scanCopyright 2002, Marchany Process Analysis  Open Files – What files are opened by the process? – Are they authorized to open these files? – Any access to sensitive system files, e.g., password files? – Any unauthorized attempts to open a file? – Any file access errors? – What files are imported or exported?

12 va-scanCopyright 2002, Marchany Process Analysis  Network Connections – Has the process opened any network connections to external sites? – Have any connection failures been recorded? – Have there been any unexpected connections? – Are there any open network sockets that can’t be attributable to valid processes? – What mode is each socket open? – Are all of the network interfaces operating as expected?

Download ppt "Va-scanCopyright 2002, Marchany Securing Solaris – Using syslogs during an Intrusion Randy Marchany."

Similar presentations

Router Configuration PJC CCNA Semester 2 Ver. 3.0 by William Kelly.

Router Configuration PJC CCNA Semester 2 Ver. 3.0 by William Kelly.
Operating-System Structures

Operating-System Structures
Creating a Login Process Creating a users table and a login form that denies access to unauthorized users.

Creating a Login Process Creating a users table and a login form that denies access to unauthorized users.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
June 1, 1999Foreground/Background Processing1 Introduction to UNIX H. Foreground/Background Processing.

June 1, 1999Foreground/Background Processing1 Introduction to UNIX H. Foreground/Background Processing.
Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.

Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.
Lesson 10-Controlling User Processes. Overview Managing and processing processes. Managing jobs. Exiting/quitting when jobs have been stopped.

Lesson 10-Controlling User Processes. Overview Managing and processing processes. Managing jobs. Exiting/quitting when jobs have been stopped.
Unix Refresher This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

Unix Refresher This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
CCNA 2 v3.1 Module 2.

CCNA 2 v3.1 Module 2.
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.

Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.
Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.

Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.
1 Semester 2 Module 2 Introduction to Routers Yuda college of business James Chen

1 Semester 2 Module 2 Introduction to Routers Yuda college of business James Chen
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
1 Chapter 2 ROUTER FUNDAMENTALS By: Tassos Tassou.

1 Chapter 2 ROUTER FUNDAMENTALS By: Tassos Tassou.
1 Chapter Overview Monitoring Server Performance Monitoring Shared Resources Microsoft Windows 2000 Auditing.

1 Chapter Overview Monitoring Server Performance Monitoring Shared Resources Microsoft Windows 2000 Auditing.
1 Chapter Overview Planning an Audit Policy Implementing an Audit Policy Using Event Viewer.

1 Chapter Overview Planning an Audit Policy Implementing an Audit Policy Using Event Viewer.

Similar presentations

Ads by Google