Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Networking Security and Assurance Lab National Chung Cheng University Investigating Unix System.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Networking Security and Assurance Lab National Chung Cheng University Investigating Unix System."— Presentation transcript:

1 Information Networking Security and Assurance Lab National Chung Cheng University Investigating Unix System

2 Information Networking Security and Assurance Lab National Chung Cheng University 2 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

3 Information Networking Security and Assurance Lab National Chung Cheng University 3 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

4 Information Networking Security and Assurance Lab National Chung Cheng University 4 4W + 1H Who What When Where How

5 Information Networking Security and Assurance Lab National Chung Cheng University 5 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

6 Information Networking Security and Assurance Lab National Chung Cheng University 6 Common Directory /var/log/ /usr/adm/ /var/adm/ On the log server Depend on what flavors of Unix you use!!

7 Information Networking Security and Assurance Lab National Chung Cheng University 7 System log(1/3) Captures events from programs and subsystems within Unix Controlled by /etc/syslog.conf syslogd Can log messages across a network

8 Information Networking Security and Assurance Lab National Chung Cheng University 8 System log(2/3) The facility Type: auth (security), authpriv, cron, daemon, kern, lpr, mail, mark, news, syslog, user, uucp, local0-7 The priority Level: debug, info, notice, warning, err, crit, alert, emerg The action /etc/syslog.conf

9 Information Networking Security and Assurance Lab National Chung Cheng University 9 System log(3/3) Time/Date HostName Program and PID Operation IP Address If the action field contain the string “ @remote_host ” the use of a remote syslog server

10 Information Networking Security and Assurance Lab National Chung Cheng University 10 TCP Wrapper A host-base access control service (/etc/inetd.conf) /usr/sbin/tcpd 檢查 /etc/hosts.allow 有無符合的 rules 檢查 /etc/hosts.deny 有無符合的 rules 連線請求 Allow Yes No Yes Deny No Allow

11 Information Networking Security and Assurance Lab National Chung Cheng University 11 Other Network Logs Example  xferlog Time/DateThe number of seconds that the transfer took The remote host The number of bytes The transferred file The type of file transfer The direction of transfer The access mode

12 Information Networking Security and Assurance Lab National Chung Cheng University 12 su Command Logs /var/log/auth.log Successful for su Non-successful for su

13 Information Networking Security and Assurance Lab National Chung Cheng University 13 Logged-on User Logs utmp (who, w), wtmp (last)  Binary file Many common hacker programs, such as zap, can selectively remove entries from these files /var/log/wtmp /var/run/utmp

14 Information Networking Security and Assurance Lab National Chung Cheng University 14 History file Log all command, along with their command-line options In user’s home directory History file

15 Information Networking Security and Assurance Lab National Chung Cheng University 15 Some evidence you must care Link your.bash_history to /dev/null Some thing you must care!!

16 Information Networking Security and Assurance Lab National Chung Cheng University 16 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

17 Information Networking Security and Assurance Lab National Chung Cheng University 17 grep The item you want to search The location Search the binary file Search the binary file with – a option -r option: recursive mode

18 Information Networking Security and Assurance Lab National Chung Cheng University 18 grep You can search the entire raw device!!

19 Information Networking Security and Assurance Lab National Chung Cheng University 19 find Search from the root directory! The regular Expression for “…” Obtaining something detail can man find

20 Information Networking Security and Assurance Lab National Chung Cheng University 20 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

21 Information Networking Security and Assurance Lab National Chung Cheng University 21 atime, mtime, ctime Example for capture the specific atime!!

22 Information Networking Security and Assurance Lab National Chung Cheng University 22 SUID, SGID Allow programs operate with another (higher) privileges Search the suid file!!

23 Information Networking Security and Assurance Lab National Chung Cheng University 23 Some important file!! Configuration file  /etc/hosts.allow  /etc/hosts.deny  … Startup file  /var/spool/cron/  /usr/spool/cron/  /etc/rc.d  /etc/rc[0-6].d /tmp/  Something suspicious

24 Information Networking Security and Assurance Lab National Chung Cheng University 24 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

25 Information Networking Security and Assurance Lab National Chung Cheng University 25 /etc/passwd, /etc/group UID GID The Home directory The login shell /etc/group

26 Information Networking Security and Assurance Lab National Chung Cheng University 26 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

27 Information Networking Security and Assurance Lab National Chung Cheng University 27 Something example Use the ps and netstat command to detect the rouge process!!

28 Information Networking Security and Assurance Lab National Chung Cheng University 28 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

29 Information Networking Security and Assurance Lab National Chung Cheng University 29 Your open services! When conduct your investigation of the Unix system, your will need to examine all network services as potential access points

30 Information Networking Security and Assurance Lab National Chung Cheng University 30 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

31 Information Networking Security and Assurance Lab National Chung Cheng University 31 Something you must care! /etc/hosts.equiv /$HOME/.rhosts Sniffer  dsniff arpredirect Trust Relationship!! HostA HostB

32 Information Networking Security and Assurance Lab National Chung Cheng University 32 Outline Preface Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits

33 Information Networking Security and Assurance Lab National Chung Cheng University 33 rootkits, LKMs What different  Modified or replaced? How to detect  External  Internal

34 Information Networking Security and Assurance Lab National Chung Cheng University 34 Some tool chkrootkit KSTAT chkrootkit KSTAT

Download ppt "Information Networking Security and Assurance Lab National Chung Cheng University Investigating Unix System."

Similar presentations

COEN 250 Computer Forensics Unix System Life Response.

COEN 250 Computer Forensics Unix System Life Response.
Managing logs with syslog-ng and SWATCH AfNOG 11, Kigali/Rwanda.

Managing logs with syslog-ng and SWATCH AfNOG 11, Kigali/Rwanda.
Syslog and log files1-1 Syslog and Log Files  From logfiles, you can find m important information m History m Errors/warnings  Logging policies m Reset.

Syslog and log files1-1 Syslog and Log Files  From logfiles, you can find m important information m History m Errors/warnings  Logging policies m Reset.
Detecting Intruders from log files and traces Special Intruder Detection Systems (IDS) are now a market niche, and there are many products on the market.

Detecting Intruders from log files and traces Special Intruder Detection Systems (IDS) are now a market niche, and there are many products on the market.
CIS 193A – Lesson3 Vigilance! Logging & Monitoring Syslog Logrotate Logwatch Accounting.

CIS 193A – Lesson3 Vigilance! Logging & Monitoring Syslog Logrotate Logwatch Accounting.
Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.

Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.
Unix Refresher This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

Unix Refresher This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools.

Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools.
Syslogd Tracking system events. Log servers Applications are constantly encountering events which should be recorded –users attempt to login with bad.

Syslogd Tracking system events. Log servers Applications are constantly encountering events which should be recorded –users attempt to login with bad.
Information Networking Security and Assurance Lab National Chung Cheng University Nessus A Vulnerability Assessment tool A Security Scanner Information.

Information Networking Security and Assurance Lab National Chung Cheng University Nessus A Vulnerability Assessment tool A Security Scanner Information.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.

Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.

Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.

2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.

Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
Lecture 16: UNIX Forensics 6/26/2003 CSCE 590 Summer 2003.

Lecture 16: UNIX Forensics 6/26/2003 CSCE 590 Summer 2003.
Chapter 3 Unix Overview. Figure 3.1 Unix file system.

Chapter 3 Unix Overview. Figure 3.1 Unix file system.
NOC TOOLS syslog AfNOG 2009 - Cairo, SI-E, 2 of 5 Sunday Folayan.

NOC TOOLS syslog AfNOG Cairo, SI-E, 2 of 5 Sunday Folayan.
AfChix 2011 Blantyre, Malawi Log management. Log management and monitoring ■ What is log management and monitoring ? ● It's about keeping your logs in.

AfChix 2011 Blantyre, Malawi Log management. Log management and monitoring ■ What is log management and monitoring ? ● It's about keeping your logs in.
Linux Networking and Security Chapter 10 File Security.

Linux Networking and Security Chapter 10 File Security.

Similar presentations

Ads by Google