Visits

 [+/-]
Today:
Yesterday:
Day before yesterday: 		383
1
1006
-1005
This week:
Last week:
Week before last week: 		1390
8214
7542
+672

Last month:
Month before last month:		7372
34182
33848
+334

Visitor Data

Proxy
38.107.179.212
United States
IP ADDRESS
38.107.179.212
-
Location
United States
-
Browser
Unknown Browser
-
Operating System
Unknown Operating System


   
Add to: JBookmarks Add to: Bookmarks.cc Add to: Digg Add to: Reddit Add to: Upchuckr Add to: StumbleUpon Add to: Slashdot Add to: Blogmarks Add to: Technorati Add to: Newsvine Add to: Blinkbits Add to: Smarking Add to: Spurl Add to: Google Information
Secure Logging

Linux Security: Secure Logging



Logging is one of the keys to keeping your system secure. The syslog keeps you informed on *just about* everything going on. I'm gonna show you how to setup additional logging. You should also look into setting up a remote logging host( if possible).

NOTE: This additional logging will not change the existing log files at all, so this is by no means a "risky" move.

First lets open up /etc/syslog.conf, it'll look something like this... 

# /etc/syslog.conf
#
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                    /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none             /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                 /var/log/secure

# Log all the mail messages in one place.
mail.*                                     /var/log/maillog

# Everybody gets emergency messages, plus log them on another
# machine.
*.emerg                                    *


# Save boot messages also to boot.log
local7.*                                   /var/log/boot.log

#EOF


Now what we're gonna do is add some lines at the bottom. Please make sure the tty(s) listed below are available, do so by hitting alt-F*, * being the tty number if the tty is blank it's free... Also keep in mind that tty7 by default on most distros is reserved for your X screen. 

Now to add the lines: 
I add these lines at the bottom of syslog.conf

#Everything goes to tty12
*.* /dev/tty12

#Auth and Warning go to tty11
*.warn;authpriv.* /dev/tty11

#Kernel logging goes to tty10
kern.* /dev/tty10

#Mail stuff
#(only really useful if you're running a mailserver goes to tty9)
mail.* /dev/tty9

#EOF

I write out the new changes to syslog.conf
Then send syslogd a SIGHUP to restart it with
killall -HUP syslogd

Now look on the tty(s) we specified in syslog.conf, neat huh ? : P



Process accounting: What'd you do fool ?

Linux has the ability to log which commands are run when and by whom. This is extremely useful in trying to reconstruct what a potential cracker actually ran. The drawbacks are that the logs get large quickly (a log rotate module is included to offset this), the parameters to commands are not recorded, and, like all log files, the accounting log is removable if the attacker has root.

As this is rather disk and CPU intensive, don't go this route unless you have carefully considered this option.

How we do it... first lets put in a module for logrotate so that the logs don't get filled up too fast and take up way too much space. 

Open up /etc/logrotate.conf
And add these lines..
/var/log/security/pacct.log { 
postrotate
/sbin/accton /var/log/security/pacct.log
}

Now lets turn on proccess accounting by doing so... 

touch /var/log/security/pacct.log
chown root.root /var/log/security/pacct.log
chmod 600 /var/log/security/pacct.log
/sbin/accton /var/log/security/pacct.log


Now if you're gonna use proccess accounting might as well have it start up on boot right ? So add these lines to rc.local(usually in /etc/rc.d). 

touch /var/log/security/pacct.log
/sbin/accton /var/log/security/pacct.log

Done... Enjoy!!!!!!
< Prev   Next >
 


Logo, Layout and Design property of Legitcode.com : All Rights Reserved