Visits

 [+/-]
Today:
Yesterday:
Day before yesterday: 		29
389
372
+17
This week:
Last week:
Week before last week: 		1515
2427
2483
-56

Last month:
Month before last month:		10693
9885
8946
+939

Visitor Data

IP ADDRESS
38.107.191.86
-
Location
United States
-
Browser
Unknown Browser
-
Operating System
Unknown Operating System

Most Downloaded


No Documents
Add to: JBookmarks Add to: Bookmarks.cc Add to: Digg Add to: Reddit Add to: Upchuckr Add to: StumbleUpon Add to: Slashdot Add to: Blogmarks Add to: Technorati Add to: Newsvine Add to: Blinkbits Add to: Smarking Add to: Spurl Add to: Google Information

22

Oct

Secure Logging

Linux Security: Secure Logging

LOGGING: It's needed!!!!!!!!!

Logging is one of the keys to keeping your system secure. The syslog keeps you informed on *just about* everything going on. I'm gonna show you how to setup additional logging. You should also look into setting up a remote logging host( if possible).

NOTE: This additional logging will not change the existing log files at all, so this is by no means a "risky" move.

First lets open up /etc/syslog.conf, it'll look something like this... 

# /etc/syslog.conf
#
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                    /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none             /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                 /var/log/secure

# Log all the mail messages in one place.
mail.*                                     /var/log/maillog

# Everybody gets emergency messages, plus log them on another
# machine.
*.emerg                                    *


# Save boot messages also to boot.log
local7.*                                   /var/log/boot.log

#EOF


Now what we're gonna do is add some lines at the bottom. Please make sure the tty(s) listed below are available, do so by hitting alt-F*, * being the tty number if the tty is blank it's free... Also keep in mind that tty7 by default on most distros is reserved for your X screen. 

Now to add the lines: 
I add these lines at the bottom of syslog.conf

#Everything goes to tty12
*.* /dev/tty12

#Auth and Warning go to tty11
*.warn;authpriv.* /dev/tty11

#Kernel logging goes to tty10
kern.* /dev/tty10

#Mail stuff
#(only really useful if you're running a mailserver goes to tty9)
mail.* /dev/tty9

#EOF

I write out the new changes to syslog.conf
Then send syslogd a SIGHUP to restart it with
killall -HUP syslogd

Now look on the tty(s) we specified in syslog.conf, neat huh ? : P



Process accounting: What'd you do fool ?

Linux has the ability to log which commands are run when and by whom. This is extremely useful in trying to reconstruct what a potential cracker actually ran. The drawbacks are that the logs get large quickly (a log rotate module is included to offset this), the parameters to commands are not recorded, and, like all log files, the accounting log is removable if the attacker has root.

As this is rather disk and CPU intensive, don't go this route unless you have carefully considered this option.

How we do it... first lets put in a module for logrotate so that the logs don't get filled up too fast and take up way too much space. 

Open up /etc/logrotate.conf
And add these lines..
/var/log/security/pacct.log { 
postrotate
/sbin/accton /var/log/security/pacct.log
}

Now lets turn on proccess accounting by doing so... 

touch /var/log/security/pacct.log
chown root.root /var/log/security/pacct.log
chmod 600 /var/log/security/pacct.log
/sbin/accton /var/log/security/pacct.log


Now if you're gonna use proccess accounting might as well have it start up on boot right ? So add these lines to rc.local(usually in /etc/rc.d). 

touch /var/log/security/pacct.log
/sbin/accton /var/log/security/pacct.log

Done... Enjoy!!!!!!
< Prev   Next >
 


All Documents are Rights of their Owners :: 2008 Legitcode.com : All Rights Reserved