Logging Policies

Total Page:16

File Type:pdf, Size:1020Kb

Logging Policies Logging Policies The accounting system, the kernel, and various utilities all emit data that is logged and eventually ends up on your finite-sized disks. Most of that data has a limited useful lifetime and needs to be summarized, compressed, archived, and eventually thrown away. Logging Policies Logging policies vary from site to site. Common schemes include: Throw away all data immediately Reset log files at periodic intervals Rotate log files, keeping data for a fixed period of time Compress and archive logs to tape or other permanent media. The correct choice for your site depends on how much disk space you have and how security conscious you are. Even sites with an abundance of disk space must deal with the cancerous growth of log files. Whatever scheme that you select, maintenance of log files should be automated with cron. Throwing away log files We do not recommend throwing away all logging information. Sites that are subject to security problems routinely find that accounting data and log files provide important evidence of break-ins. Log files are also helpful for alerting you to hardware and software problems. In general, given a comfortable amount of disk space, data should be kept for at least a month and then discarded. In the real world, it may take this long for you to realize that your site has been compromised by a hacker and that you need to review the logs. If you need to go back further into the past, you can recover older logs from your backup tapes. Some administrators allow log files to grow until they become bothersome, then restart them from zero. This plan is better than keeping no data at all, but it does not guarantee that log entries will be retained for any particular length of time. Average disk usage may also be higher than with other management schemes. Rotating Log Files Most sites store each day’s log information on disk, sometimes in a compressed format. These daily files are kept for a specific period of time and then deleted. If you have sufficient disk space, it is handy to keep the log files uncompressed so that they can be easily searched with grep. One common way of implementing this policy is called rotation. In a rotation system, you keep backup files that are one day old, two days old and so on. Each day, a script renames the files to push older data toward the end of the chain. If a log file is called logfile, for example, the backup copies might be called logfile.1, logfile,2, etc. If you keep a week’s worth of data, there will be a logfile.7 but no logfile.8. Every day, the data in logfile.7 is lost as logfile.6 overwrites it. e.g. Suppose a log file needs daily attention and you want to archive its contents for three days to keep the sample short. The following script would implement an appropriate rotation policy: #!/bin/sh cd /var/log mv logfile.2 logfile.3 mv logfile.1 logfile.2 mv logfile logfile.1 cat /dev/null > logfile chmod 600 logfile Ownership information is important for some log files. You may need to run your rotation script from cron as the log files’ owner rather than as root, or you may need to add a chown command to the script. Archiving log files Some sites must archive all accounting data and log files as a matter of policy, perhaps to provide data for a potential audit. In this situation, log files should be first rotated on disk and then written to tape or other permanent media. This scheme reduces the frequency of tape backups and gives you fast access to recent data. Log files should always be included in your regular backup sequence. They may also be archived to a separate tape series. Separate tapes are more cumbersome, but they impose less of a documentation burden and will not interfere with your ability to recycle dump tapes. If you use separate tapes, we suggest that you use the tar format and write a script to automate your backup scheme. Files NOT To Manage You might be tempted to manage all log files with a rotation and archiving scheme. However, there are three files that you should not touch: /var/adm/lastlog /var/adm/wtmp, and /var/adm/utmp. lastlog records each user’s last login and is a sparse file indexed by UID. It stays smaller if your UIDs are assigned in some kind of numeric sequence. Do not copy lastlog, or it will use all of the disk space that ls –l reports. utmp, really utmpx on our Solaris system, attempts to keep a record of each user that is currently logged in. It is sometimes wrong, usually because a user’s shell was killed with an inappropriate signal and the parent of the shell did not clean up properly. utmpx is world-writable. wtmp, really wtmpx on our Solaris system, attempts to keep a history of user access and administrative information. .
Recommended publications
  • Filesystem Hierarchy Standard
    Filesystem Hierarchy Standard LSB Workgroup, The Linux Foundation Filesystem Hierarchy Standard LSB Workgroup, The Linux Foundation Version 3.0 Publication date March 19, 2015 Copyright © 2015 The Linux Foundation Copyright © 1994-2004 Daniel Quinlan Copyright © 2001-2004 Paul 'Rusty' Russell Copyright © 2003-2004 Christopher Yeoh Abstract This standard consists of a set of requirements and guidelines for file and directory placement under UNIX-like operating systems. The guidelines are intended to support interoperability of applications, system administration tools, development tools, and scripts as well as greater uniformity of documentation for these systems. All trademarks and copyrights are owned by their owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Permission is granted to make and distribute verbatim copies of this standard provided the copyright and this permission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this standard under the conditions for verbatim copying, provided also that the title page is labeled as modified including a reference to the original standard, provided that information on retrieving the original standard is included, and provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. Permission is granted to copy and distribute translations of this standard into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by the copyright holder. Dedication This release is dedicated to the memory of Christopher Yeoh, a long-time friend and colleague, and one of the original editors of the FHS.
    [Show full text]
  • Evaluating UNIX Security Previous Screen Allen B
    84-01-15.1 Evaluating UNIX Security Previous screen Allen B. Lum Payoff The UNIX operating system's basic security features include password protection, access permission, user profiles, shell scripts, and file ownership. Because new and enhanced UNIX security features are continually being added to these features in response to the demands of an increasingly competitive user community, information security professionals must begin with an understanding of the basic UNIX security environment. This article covers the fundamental security features that can be found in most of the currently available versions of the UNIX operating system. Several checklists are included at the end of the article to assist administrators in ensuring the security of UNIX systems. Problems Addressed The UNIX operating system was originally developed for use by programmers within an open systems environment. The adoption of UNIX as a common operating system across several different platforms has increased the need for security beyond its original purpose. As a result, many UNIX installations have less than optimal security. In addition, there are several versions of UNIX on the market today with differing security features. This article discusses basic access controls (e.g., passwords) and directory and file permissions within the UNIX system. The concepts discussed are applicable to all versions of UNIX unless specifically noted otherwise. UNIX History As the majority of UNIX users know, UNIX was developed at AT Bell Laboratories in the late 1960s by Thompson and Ritchie; the name UNIXis a contraction of uni and multics. The original UNIX system software was written in the assembler language to run on the digital PDP-7 computer.
    [Show full text]
  • Chapter 3 Unix Overview
    Chapter 3 Unix Overview Figure 3.1 Unix file system Directory Purpose / The root directory /bin or /sbin Critical executables needed to boot the system /dev Device drivers /etc System configuration files such as passwords, network addresses and names,system startup scripts /home User home directories /lib Shared libraries used by programs /mnt Temporary mount point for file systems /proc Images of currently executing processes on the system /tmp Temporary files /usr A variety of critical system files, including system utilities (/usr/bin), and administration executables (/usr/sbin) /var Stores varying files such as /var/log, /var/mail Table 3.1 Important Directories in the Unix file system Figure 3.2 Unix Architecture Figure 3.3 Relationship between init, inetd, and various network services Sample /etc/inetd.conf file containing services spawned by inetd /etc/inetd.conf file format • Service name (port # defined in /etc/services) • Socket type (stream or dgram) • Protocol (tcp, udp, rpc/tcp, or rpc/udp) • Wait status (wait or nowait) • Username (service run as) • Server program • Server program arguments Use of inetd.conf to create backdoor listeners and attack relays Common Unix Administration Tasks ♦ Vulnerability of using “.” in your search path $PATH ♦ Showing all running processes ps –aux ps –aef ♦ Killing/restarting processes kill –HUP pid killall –HUP inetd ♦ /etc/passwd file ♦ Unix permissions rwxrwxrwx chmod command Common Unix Administration Tasks (cont.) ♦ SetUID programs – Executes with permissions of its owner, not of its
    [Show full text]
  • The Complete Freebsd
    The Complete FreeBSD® If you find errors in this book, please report them to Greg Lehey <grog@Free- BSD.org> for inclusion in the errata list. The Complete FreeBSD® Fourth Edition Tenth anniversary version, 24 February 2006 Greg Lehey The Complete FreeBSD® by Greg Lehey <[email protected]> Copyright © 1996, 1997, 1999, 2002, 2003, 2006 by Greg Lehey. This book is licensed under the Creative Commons “Attribution-NonCommercial-ShareAlike 2.5” license. The full text is located at http://creativecommons.org/licenses/by-nc-sa/2.5/legalcode. You are free: • to copy, distribute, display, and perform the work • to make derivative works under the following conditions: • Attribution. You must attribute the work in the manner specified by the author or licensor. • Noncommercial. You may not use this work for commercial purposes. This clause is modified from the original by the provision: You may use this book for commercial purposes if you pay me the sum of USD 20 per copy printed (whether sold or not). You must also agree to allow inspection of printing records and other material necessary to confirm the royalty sums. The purpose of this clause is to make it attractive to negotiate sensible royalties before printing. • Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one. • For any reuse or distribution, you must make clear to others the license terms of this work. • Any of these conditions can be waived if you get permission from the copyright holder. Your fair use and other rights are in no way affected by the above.
    [Show full text]
  • Utmp, Wtmp, Sulog
    utmp, wtmp, sulog lastlog File UNIX records the last time that each user logged into the system in the lastlog log file. This time is displayed each time that you log in: e.g. login: grossman password: Last login Mon Feb 14 09:19 on console Unfortunately, the design of the lastlog mechanism is such that the previous contents of the file are overwritten at each login. As a result, if a user is inattentive for even a moment or if the login message clears the screen, the user may not notice a suspicious time. Furthermore, even if a suspicious time is noted, it is no longer available for the system administrator to examine. utmp, wtmp, utmpx, and wtmpx Files UNIX keeps track of who is currently logged into the system with a special file called utmp, or utmpx on Solaris systems. This is a binary file that contains a record for every active session and generally does not grow to be more than a few kilobytes in length. A second file, wtmpx, keeps a record of both logins and logouts. This file grows every time a user logs in or logs out and can grow to be many megabytes in length unless it is pruned. utmpx and wtmpx are found in /var/adm on our Solaris systems. utmp and wtmp do not exist in Solaris. The extended wtmpx file used by the Solaris operating system includes the following: Username, 32 characters instead of 8 inittab ID, indicates the type of connection Terminal name, 32 characters instead of 8 Device name Process ID of the login shell Code that denotes the type of entry Exit status of the process Time that the entry was made Session ID Unused bytes for future expansion Remote hostname for logins that originate over a network Examining the utmpx and wtmpx Files UNIX programs that report the users that are currently logged into the system, e.g.
    [Show full text]
  • Cisco Identity Services Engine CLI Reference Guide, Release 2.2 Americas Headquarters Cisco Systems, Inc
    Cisco Identity Services Engine CLI Reference Guide, Release 2.2 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
    [Show full text]
  • System Analysis and Tuning Guide System Analysis and Tuning Guide SUSE Linux Enterprise Server 15 SP1
    SUSE Linux Enterprise Server 15 SP1 System Analysis and Tuning Guide System Analysis and Tuning Guide SUSE Linux Enterprise Server 15 SP1 An administrator's guide for problem detection, resolution and optimization. Find how to inspect and optimize your system by means of monitoring tools and how to eciently manage resources. Also contains an overview of common problems and solutions and of additional help and documentation resources. Publication Date: September 24, 2021 SUSE LLC 1800 South Novell Place Provo, UT 84606 USA https://documentation.suse.com Copyright © 2006– 2021 SUSE LLC and contributors. All rights reserved. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”. For SUSE trademarks, see https://www.suse.com/company/legal/ . All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its aliates. Asterisks (*) denote third-party trademarks. All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its aliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof. Contents About This Guide xii 1 Available Documentation xiii
    [Show full text]
  • Security Guide Release 12.1
    Oracle® Communications User Data Repository Security Guide Release 12.1 E67764-01 March 2016 Oracle® Communications User Data Repository Security Guide Release 12.1 E67764-01 Copyright © 2015, 2016, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are “commercial computer software” pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs.
    [Show full text]
  • Alterpath ACS V.2.6.1 Command Reference Guide
    AlterPath™ ACS Command Reference Guide Software Version 2.6.1 ACS ALTERPATH AlterPath 32 LINUX INSIDE Cyclades Corporation 3541 Gateway Boulevard Fremont, CA 94538 USA 1.888.CYCLADES (292.5233) 1.510.771.6100 1.510.771.6200 (fax) http://www.cyclades.com Release Date: April 2006 Part Number: PAC0193 © 2006 Cyclades Corporation, all rights reserved Information in this document is subject to change without notice. The following are registered or registration-pending trademarks of Cyclades Corporation in the United States and other countries: Cyclades and AlterPath. All trademarks, trade names, logos and service marks referenced herein, even when not specifically marked as such, belong to their respective companies and are not to be considered unprotected by law. Table of Contents ................................................................. Preface xix Purpose . xix Audience and User Levels. xix New Users. xix Power Users . xx How to use the CLI . xxi Modes of Operation . xxi Keywords meanings . xxii Interactive Mode . xxii CLI arguments. xxv Other important features of the CLI . xxv List of CLI Keywords . xxvii . How to use this Guide xxx Conventions and Symbols. xxxi Typeface and Fonts . xxxi Hypertext Links. xxxi Glossary Entries . xxxi Quick Steps . xxxi Parameter Syntax . xxxii Brackets and Hyphens (dashes) . xxxii Ellipses. xxxii Pipes. xxxii Greater-than and Less-than signs. xxxii Spacing and Separators . xxxiii Cautionary and Instructional Information. xxxiii Networking Settings . 1 Performing Basic Network Configuration Using the wiz Command . 1 Log Into ACS Through the Console . 1 Password . 2 Security Advisory . 2 Use the wiz Command to Configure Network Parameters. 4 Table of Contents Selecting A Security Profile. 6 To Select a Security Profile .
    [Show full text]
  • Mastering Linux Shell Scripting Second Edition
    Mastering Linux Shell Scripting Second Edition A practical guide to Linux command-line, Bash scripting, and Shell programming Mokhtar Ebrahim Andrew Mallett BIRMINGHAM - MUMBAI Mastering Linux Shell Scripting Second Edition Copyright © 2018 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. Commissioning Editor: Vijin Boricha Acquisition Editor: Rohit Rajkumar Content Development Editor: Ron Mathew Technical Editor: Prachi Sawant Copy Editor: Safis Editing Project Coordinator: Judie Jose Proofreader: Safis Editing Indexer: Mariammal Chettiyar Graphics: Tom Scaria Production Coordinator: Aparna Bhagat First published: December 2015 Second edition: April 2018 Production reference: 1180418 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78899-055-4 www.packtpub.com mapt.io Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career.
    [Show full text]
  • Man Pages Section 1: User Commands
    man pages section 1: User Commands Sun Microsystems, Inc. 901 San Antonio Road Palo Alto, CA 94303-4900 U.S.A. Part No: 835-8001 December 2000 Copyright 2000 Sun Microsystems, Inc. 901 San Antonio Road, Palo Alto, California 94303-4900 U.S.A. All rights reserved. This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization of Sun and its licensors, if any. Third-party software, including font technology, is copyrighted and licensed from Sun suppliers. Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademark in the U.S. and other countries, exclusively licensed through X/Open Company, Ltd. Sun, Sun Microsystems, the Sun logo, docs.sun.com, AnswerBook, AnswerBook2, Trusted Solaris, and Solaris are trademarks, registered trademarks, or service marks of Sun Microsystems, Inc. in the U.S. and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc. The OPEN LOOK and Sun™ Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry. Sun holds a non-exclusive license from Xerox to the Xerox Graphical User Interface, which license also covers Sun’s licensees who implement OPEN LOOK GUIs and otherwise comply with Sun’s written license agreements.
    [Show full text]
  • Nelson Murilo
    #! /bin/sh # -*- Shell-script -*- # $Id: chkrootkit, v 0.44 2004/09/01 CHKROOTKIT_VERSION='0.44' # Authors: Nelson Murilo <nelson@pa ngeia.com.br> (main author) and # Klaus Steding-Jessen <[email protected]> # # (C)1997-2004 Nelson Murilo, Pangeia Informatica, AMS Foun dation and others. # All rights reserved ### workaround for some Bourne shell implementations unalias login > /dev/null 2>&1 unalias ls > /dev/null 2>&1 unalias netstat > /dev/null 2>&1 unalias ps > /dev/null 2>&1 unalias dirname > /dev/null 2>&1 # Native commands TROJAN="amd basename biff chfn chsh cron date du dirname echo egrep env find \ fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init killall \ ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 \ ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd \ tcpdump top telnetd timed traceroute vdir w write" # Tools TOOLS="aliens asp bindshell lkm r exedcs sniffer w55808 wted scalper slapper z2" # Return Codes INFECTED=0 NOT_INFECTED=1 NOT_TESTED=2 NOT_FOUND=3 INFECTED_BUT_DISABL ED=4 # Many trojaned commands have this label GENERIC_ROOTKIT_LABEL="^/bin/.*sh$|bash|elite$|vejeta|\.ark" ######################### ############################################# # tools functions # # 55808.A Worm # w55808 (){ W55808_FILES="${ROOTDIR}tmp/.../a ${RO OTDIR}tmp/.../r" STATUS=0 for i in ${W55808_FILES}; do if [ -f ${i} ]; then STATUS=1 fi done if [ ${STATUS} -eq 1 ] ;then echo "Warn ing: Possible 55808 Worm installed" else if [ "${QUIET}" != "t" ]; then echo "not infected"; fi return
    [Show full text]