The FreeBSD FAQ - The Power to Help
The FreeBSD FAQ - The Power to Help
This site is Powered by PAR Teleon

S E Ç Õ E S
B U S C A
+
D E S T A Q U E
CONTATO
PÁGINA ANTIGA
TELEON INTERNET
E N Q U E T E
Se apos a conclusao, a traducao da documentacao oficial do FreeBSD, fosse impressa em livro, voce:

Usaria apenas a documentacao na internet como referencia.Faria o download de toda a documentacao na internet e imprimiria eu mesmo.
Compraria o livro, para te-lo em maos, mas usaria a referencia na internet com maior frequencia do que o livro.Compraria o livro, e seria minha unica referencia.
Compraria varias copias do livro e daria de presente a varias pessoas que deveriam ser devidamente catequisadas.







Jean M. Melo © - 2001
Todos os direitos reservados






H O W   T O 


Índice


31/05/01 20:55 - Auditoria de log com o Logcheck


Breno Silva Pinto


Este tutorial foi escrito com o intuito de ajudar os administradores de 
sistema a fazerem a auditoria dos logs do sistema , peça chave para a 
segurança de uma rede.


PREVIA SOBRE O LOGCHECK

O logcheck é um software de auditoria de log para sistemas UNIX . Esse 
software desenvolvido pela Psionic Software , analisa e  informa através
do e-mail , o que está acontecendo no seu sistema , tentado alertar para
uma possível invasão.
O logcheck ainda pode ser usado para trabalhar  junto com o PortSentry , 
um ótimo software IDS (Intrusion Detection System) , então , eu aconselharia
vc instalar e configurar o PortSentry.

Veja os Sistemas que suportam o Logcheck:
· Linux 
· SunOS 
· Solaris 
· HPUX 
· Digital OSF/1 
· FreeBSD
· BSDI
· OpenBSD 
· NetBSD 
· Generic (Most variants) 

INSTALAÇÃO

A primeira coisa a fazer é adquirir o software , para isso vá até  
http://www.psionic.com/tools/logcheck-1.1.1.tar.gz  ou então procure 
no CD-ROM do FreeBSD na parte Security dos packages . 
No meu caso , tenho o logcheck no CD-ROM do FreeBSD 4.1.1-Release . Para 
instalar o logcheck pelo cd vc pode usar o sysinstall em /stand .


Depois de ter instalado verifique se foi criado os seguintes arquivos , por 
padrão eles caíram em /usr/local/etc :

Logcheck.hacking.sample
Logcheck.ignore.sample
Logcheck.sh
Logcheck.violations.ignore.sample
Logcheck.violations.sample


Se todos esses arquivos estiverem forem criados, o software foi instalado 
sem problemas.


VEJAMOS O QUE SIGNIFICA CADA UM DESSES ARQUIVOS


Logcheck.hacking à Este arquivo contém keywords que caracterizariam um possível 
ataque ao seu sistema , essas keywords geralmente ocorrem quando se é atacado 
por um Port Scanner ou quando se usa sintaxes ilegais no Sendmail.

Logcheck.ignore à Este arquivo faria quase que o contrário do logcheck.hacking, 
ele negaria certos alertas , como conexões com o deamon telnetd.

Logcheck.violations à Este arquivo contém keywords gerados pelo sistema , tanto 
negativas  como positivas . ex:  Denied , Refused.

Logcheck.violations.ignore à Como o nome já diz , este é o arquivo que ignora 
certas mensagens geradas pelo sistema

Logcheck.sh à Esse aqui seria o script de inicialização do logcheck.


Eu não aconselharia editar esses arquivos , a não ser o logcheck.sh , pois 
dependendo das regras que você adicionar ou retirar , o logcheck pode vir a 
dar falsos avisos , o que não é interessante.

Lembre -se de renomear todos os arquivos exceto , o logcheck.sh , retire a parte 
.sample dos arquivos , sendo assim eles passaram a fazer parte da configuração 
do logcheck:

mv    logcheck.ignore.sample   logcheck.ignore
mv    logcheck.hacking.sample   logcheck.hacking
mv    logcheck.violations.ignore.sample   logcheck.violations.ignore
mv    logcheck.violations.sample    logcheck.violations


Feito isso podemos passar para nosso arquivo de configuração 

ARQUIVO DE CONFIGURAÇÃO ----- LOGCHECK.SH---------

Esse arquivo como já foi dito , é o script de inicialização do nosso utilitário, 
na verdade serão poucas alterações que teremos que fazer , colocarei a parte deste 
script que teremos que configurar .


------------------------------logcheck.sh-----------------------

#!/bin/sh
#
#	logcheck.sh: Log file checker
#	Written by Craig Rowland 
#
#	This file needs the program logtail.c to run
#
#	This script checks logs for unusual activity and blatant
#	attempts at hacking. All items are mailed to administrators
# 	for review. This script and the logtail.c program are based upon 
#       the frequentcheck.sh script idea from the Gauntlet(tm) Firewall
#	(c)Trusted Information Systems Inc. The original authors are 
#	Marcus J. Ranum and Fred Avolio.
#
#	Default search files are tuned towards the TIS Firewall toolkit
# 	the TCP Wrapper program. Custom daemons and reporting facilites
#	can be accounted for as well...read the rest of the script for
#	details.
#
#	Version Information
#
#	1.0 	9/29/96  -- Initial Release
#	1.01	11/01/96 -- Added working /tmp directory for symlink protection
#			    (Thanks Richard Bullington (rbulling@obscure.org)
#	1.1	1/03/97	 -- Made this script more portable for Sun's.
#		1/03/97	 -- Made this script work on HPUX
#               5/14/97  -- Added Digital OSF/1 logging support. Big thanks
#                           to Jay Vassos-Libove  for
#                           his changes.


# CONFIGURATION SECTION

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/local/bin

# Logcheck is pre-configured to work on most BSD like systems, however it
# is a rather dumb program and may need some help to work on other
# systems. Please check the following command paths to ensure they are 
# correct.

# Person to send log activity to.
SYSADMIN=root

# Full path to logtail program.
# This program is required to run this script and comes with the package.

LOGTAIL=/usr/local/bin/logtail

# Full path to SECURED (non public writable) /tmp directory.
# Prevents Race condition and potential symlink problems. I highly
# recommend you do NOT make this a publically writable/readable directory.
# You would also be well advised to make sure all your system/cron scripts
# use this directory for their "scratch" area. 

TMPDIR=/usr/local/etc/tmp

# The 'grep' command. This command MUST support the
# '-i' '-v' and '-f' flags!! The GNU grep does this by default (that's
# good GNUs for you Linux/FreeBSD/BSDI people :) ). The Sun grep I'm told
# does not support these switches, but the 'egrep' command does (Thanks
# Jason  ). Since grep and egrep are usually the GNU 
# variety on most systems (well most Linux, FreeBSD, BSDI, etc) and just
# hard links to each other we'll just specify egrep here. Change this if 
# you get errors.

# Linux, FreeBSD, BSDI, Sun, HPUX, etc.
GREP=egrep

# The 'mail' command. Most systems this should be OK to leave as is.
# If your default mail command does not support the '-s' (subject) command
# line switch you will need to change this command one one that does.
# The only system I've seen this to be a problem on are HPUX boxes. 
# Naturally, the HPUX is so superior to the rest of UNIX OS's that they
# feel they need to do everything differently to remind the rest that
# they are the best ;).

# Linux, FreeBSD, BSDI, Sun, etc.
MAIL=mail
# HPUX 10.x and others(?)
#MAIL=mailx
# Digital OSF/1, Irix
#MAIL=Mail

# File of known active hacking attack messages to look for.
# Only put messages in here if you are sure they won't cause
# false alarms. This is a rather generic way of checking for 
# malicious activity and can be inaccurate unless you know
# what past hacking activity looks like. The default is to
# look for generic ISS probes (who the hell else looks for 
# "WIZ" besides ISS?), and obvious sendmail attacks/probes.

HACKING_FILE=/usr/local/etc/logcheck.hacking

# File of security violation patterns to specifically look for.
# This file should contain keywords of information administrators should
# probably be aware of. May or may not cause false alarms sometimes.
# Generally, anything that is "negative" is put in this file. It may miss
# some items, but these will be caught by the next check. Move suspicious
# items into this file to have them reported regularly.

VIOLATIONS_FILE=/usr/local/etc/logcheck.violations

# File that contains more complete sentences that have keywords from
# the violations file. These keywords are normal and are not cause for 
# concern but could cause a false alarm. An example of this is the word 
# "refused" which is often reported by sendmail if a message cannot be 
# delivered or can be a more serious security violation of a system 
# attaching to illegal ports. Obviously you would put the sendmail 
# warning as part of this file. Use your judgement before putting words 
# in here or you can miss really important events. The default is to leave
# this file with only a couple entries. DO NOT LEAVE THE FILE EMPTY. Some 
# grep's will assume that an EMPTY file means a wildcard and will ignore 
# everything! The basic configuration allows for the more frequent sendmail
# error.
#
# Again, be careful what you put in here and DO NOT LEAVE IT EMPTY!

VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore

# This is the name of a file that contains patterns that we should
# ignore if found in a log file. If you have repeated false alarms
# or want specific errors ignored, you should put them in here.
# Once again, be as specific as possible, and go easy on the wildcards

IGNORE_FILE=/usr/local/etc/logcheck.ignore

# The files are reported in the order of hacking, security 
# violations, and unusual system events. Notice that this
# script uses the principle of "That which is not explicitely
# ignored is reported" in that the script will report all items
# that you do not tell it to ignore specificially. Be careful
# how you use wildcards in the logcheck.ignore file or you 
# may miss important entries.

# Make sure we really did clean up from the last run.
# Also this ensures that people aren't trying to trick us into
# overwriting files that we aren't supposed to. This is still a race
# condition, but if you are in a temp directory that does not have
# generic luser access it is not a problem. Do not allow this program
# to write to a generic /tmp directory where others can watch and/or
# create files!!

# Shouldn't need to touch these...
HOSTNAME=`hostname`
DATE=`date +%m/%d/%y:%H.%M`

umask 077
rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f $TMPDIR
	echo "Log files exist in $TMPDIR directory that cannot be removed.  
this may be an attempt to spoof the log checker." \
	| $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
	exit 1
fi

# LOG FILE CONFIGURATION SECTION
# You might have to customize these entries depending on how 
# you have syslogd configured. Be sure you check all relevant logs.
# The logtail utility is required to read and mark log files.
# See INSTALL for more information. Again, using one log file
# is preferred and is easier to manage. Be sure you know what the
# > and >> operators do before you change them. LOG FILES SHOULD
# ALWAYS BE chmod 600 OWNER root!!

# Generic and Linux Slackware 3.x
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$

# Linux Red Hat Version 3.x, 4.x
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
#$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
#$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$

# FreeBSD 2.x
$LOGTAIL /var/log/messages > $TMPDIR/check.$$
$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$

# BSDI 2.x
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
#$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
#$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
#$LOGTAIL /var/log/ftp.log >> $TMPDIR/check.$$
# Un-comment out the line below if you are using BSDI 2.1
#$LOGTAIL /var/log/daemon.log >> $TMPDIR/check.$$

# SunOS, Sun Solaris 2.5
#$LOGTAIL /var/log/syslog > $TMPDIR/check.$$
#$LOGTAIL /var/adm/messages >> $TMPDIR/check.$$

# HPUX 10.x and others(?)
#$LOGTAIL /var/adm/syslog/syslog.log > $TMPDIR/check.$$

# Digital OSF/1
# OSF/1 - uses rotating log directory with date & time in name
#        LOGDIRS=`find /var/adm/syslog.dated/* -type d -prune -print`
#        LOGDIR=`ls -dtr1 $LOGDIRS | tail -1` 
#        if [ ! -d "$LOGDIR" ]
#        then
#          echo "Can't identify current log directory." >> $TMPDIR/checkrepor$
#        else
#                $LOGTAIL  $LOGDIR/auth.log >> $TMPDIR/check.$$
#                $LOGTAIL  $LOGDIR/daemon.log >> $TMPDIR/check.$$
#                $LOGTAIL  $LOGDIR/kern.log >> $TMPDIR/check.$$  
#                $LOGTAIL  $LOGDIR/lpr.log >> $TMPDIR/check.$$   
#                $LOGTAIL  $LOGDIR/mail.log >> $TMPDIR/check.$$
#                $LOGTAIL  $LOGDIR/syslog.log >> $TMPDIR/check.$$
#                $LOGTAIL  $LOGDIR/user.log >> $TMPDIR/check.$$  
#        fi
#         

Bom essa é a parte que devemos configurar , vou me basear na configuração de 
uma máquina FreeBSD , na qual ele será executado , mas se você quiser configurar
ele para linux ou qualquer outro sistema , não será tão diferente.


Eu precisei criar um diretório no /etc/local/etc  com o nome tmp , assim não 
precisei mudar algumas sintaxes . Vejamos o que temos que mudar :

# Person to send log activity to.
SYSADMIN=root

Essa linha diz para quem será enviado o e-mail com as notificações. Ser for 
para root , deixa desse jeito.

# Full path to logtail program.
# This program is required to run this script and comes with the package.

LOGTAIL=/usr/local/bin/logtail


Essa linha nos diz onde está o logtail , ele é necessário para rodar o script, 
mas não esquente , porque ele vem no package do logcheck.


# Linux, FreeBSD, BSDI, Sun, HPUX, etc.
GREP=egrep

Essa linha faz referencia ao "egrep" , geralmente não necessita ser mudada.


# Linux, FreeBSD, BSDI, Sun, etc.
MAIL=mail


Esta faz referência ao "mail" , geralmente não precisa ser mudada.


HACKING_FILE=/usr/local/etc/logcheck.hacking
VIOLATIONS_FILE=/usr/local/etc/logcheck.violations
VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore
IGNORE_FILE=/usr/local/etc/logcheck.ignore

Essas linhas se referem ao caminho dos arquivos que vimos anteriormente, 
certifique -se se está correto com o seu sistema.

# FreeBSD 2.x
$LOGTAIL /var/log/messages > $TMPDIR/check.$$
$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$

Essas linhas nos diz que o logcheck irá analisar os logs vindos de /var/log/messages
 e /var/log/maillog , você pode alterar essas linhas , dependendo de como o seu 
syslog está configurado.


Lembre -se que você pode e deve alterar essas linhas para que o logcheck 
funcione corretamente em seu sistema .

Pronto ! , feito isso podemos rodar o logcheck.



RODANDO O LOGCHECK

Vamos colocar o logcheck para trabalhar e em seguida ativaremos o PortSentry, 
com isso teremos uma segurança maior em nossa rede.

FreeBSD # ./logcheck.sh
FreeBSD#  portsentry -tcp
FreeBSD#  portsentry -udp


Logo após isso simulei ataques , que o portsentry detectou , e que foi enviado 
cara mim por e-mail através do logcheck.


UMA EXEMPLO DE E-MAIL ENVIADO PELO LOGHECK

From root Thu May 17 15:24:36 2001
Return-Path: 
Received: (from root@localhost)
	by freebsd.net.com.br (8.11.0/8.11.0) id f4HIOaZ00445
	for root; Thu, 17 May 2001 15:24:36 -0300 (BRT)
	(envelope-from root)
Date: Thu, 17 May 2001 15:24:36 -0300 (BRT)
From: Charlie Root 
Message-Id: <200105171824.f4HIOaZ00445@freebsd.net.com.br>
To: root
Subject: freebsd.net.com.br 05/17/01:15.24 ACTIVE SYSTEM ATTACK!


Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
May 16 09:32:08 freebsd portsentry[224]: attackalert: Connect from host: 
windows.net.com.br/192.1.1.1 to TCP port: 1080
May 16 09:32:08 freebsd portsentry[224]: attackalert: Host: 192.1.1.1 is 
already blocked. Ignoring

Security Violations
=-=-=-=-=-=-=-=-=-=
May 16 09:32:08 freebsd portsentry[224]: attackalert: Connect from host: 
windows.net.com.br/192.1.1.1 to TCP port: 1080
May 16 09:32:08 freebsd portsentry[224]: attackalert: Host: 192.1.1.1 is 
already blocked. Ignoring
May 17 08:03:02 freebsd login: ROOT LOGIN (root) ON ttyv0
May 17 15:08:21 freebsd login: ROOT LOGIN (root) ON ttyv0

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
May 16 09:32:08 freebsd portsentry[224]: attackalert: Connect from host: 
windows.net.com.br/192.1.1.1 to TCP port: 1080
May 16 09:32:08 freebsd portsentry[224]: attackalert: Host: 192.1.1.1 is 
already blocked. Ignoring



ANALISANDO O E-MAIL ENVIADO PELO LOGCHECK

Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
May 16 09:32:08 freebsd portsentry[224]: attackalert: Connect from host: 
windows.net.com.br/192.1.1.1 to TCP port: 1080
May 16 09:32:08 freebsd portsentry[224]: attackalert: Host: 192.1.1.1 is 
already blocked. Ignoring

Esse alerta enviado pelo logcheck , como podemos ver foi dado pelo portsentry, 
o que poderia ser uma possível tentativa de invasão. Esses avisos foram colocados 
aqui porque o alerta "atackalert" esta em nosso arquivo de keyword com caracterizariam
uma possível invasão.

Security Violations
=-=-=-=-=-=-=-=-=-=
May 16 09:32:08 freebsd portsentry[224]: attackalert: Connect from host: 
windows.net.com.br/192.1.1.1 to TCP port: 1080
May 16 09:32:08 freebsd portsentry[224]: attackalert: Host: 192.1.1.1 is 
already blocked. Ignoring
May 17 08:03:02 freebsd login: ROOT LOGIN (root) ON ttyv0
May 17 15:08:21 freebsd login: ROOT LOGIN (root) ON ttyv0

Novamente temos as infomações do portsentry , isso porque a sintaxe "atackalert" 
se encontra em todos os nossos arquivos de configuração, 
exceto é claro nos arquivos que ignoram regras.
A duas novas linhas são :

May 17 08:03:02 freebsd login: ROOT LOGIN (root) ON ttyv0
May 17 15:08:21 freebsd login: ROOT LOGIN (root) ON ttyv0

Isso nos diz a data e a hora que Root logou no sistema , agora se não foi você, 
talvez estja com problemas. 


Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
May 16 09:32:08 freebsd portsentry[224]: attackalert: Connect from host: 
windows.net.com.br/192.1.1.1 to TCP port: 1080
May 16 09:32:08 freebsd portsentry[224]: attackalert: Host: 192.1.1.1 is 
already blocked. Ignoring


Aqui está novamente nossa entrada do PortSentry , bom nessa parte você 
provavelmente receberá infomações dos eventos que ocorreram em geral na máquina, 
como reboot , inicialização de programas , entre outros.

Bom fico por aqui , qualquer dúvida mail -me 
Breno Silva Pinto

Breno Silva Pinto




Entrar em contato Enviar este artigo a um amigo Preparar para impressão Índice Topo da página


 

PrincipalBusca AvançadaEnqueteContatoTeleon Internet  
Enquetes antigas | FAQ | FreeBSD Desktop | Informacoes | Links | How To