Section 16.2 Log Files: Measures and Countermeasures

16.2 Log Files: Measures and Countermeasures

Many times, unless you happen to notice something askew, unusual entries in a log file are the first indications that someone has broken into your system. Crackers know this too! Any decent cracker simply will edit your log files with vi or emacs to remove the evidence of their visits. This is quite easy and typically is done just before logout.

There are two situations that need to be considered. The first is where the attempted break-in fails. This could be handled by mailing a copy of each important log file to your e-mail account on a different system periodically and then truncating the log file. (Truncating means removing the information from the file and making it zero length without actually removing it, important because the file may be held open by other processes.)

Typically, you would do this via a cron job. The following script could be placed in your /usr/local/bin directory as forecasts mode 700 and owned by root. The name was made somewhat ordinary deliberately.

 #!/bin/sh cd /var/log/. for f in crit messages syslog secure secure.ok \   daemon ftpd/xferlog lpr cron mail do          if [ -s $f ]          then                   Mail -s "LOG: $f" \                     jimjoyce@othersys.vault.com < $f                             # Save if mail fails                   cp $f $f.old                   cp /dev/null $f          fi done 

In this example, you directly specify the SysAdmin's e-mail address. However, if the system administration duties are shared, or if the SysAdmin periodically goes on vacation, it would be much better to e-mail to root or some other official address and either redirect e-mail destined for that address to one or more of the SysAdmins or for the one on duty to check for e-mail frequently. Most shells and mail alerting programs (like xbiff) can monitor multiple mailboxes.

You then could could arrange for the script to be invoked daily at 7 A.M. via a crontab entry added by root thusly:

 crontab -l > /tmp/foo2 cat >> /tmp/foo2 00 07 * * *     /usr/local/bin/forecasts control-D crontab /tmp/foo2 /bin/rm /tmp/foo2 

By e-mailing to an account on a different system, a cracker would need to break into two different systems to erase her tracks. By picking said other system to be one with very tight security, possibly on a different network or organization, you make her job almost impossible.

There is a small race condition in the script in the event that a log entry is being generated the instant that it is running. Allowing for 0.1 seconds for the script to run and 86,000 seconds in a day, this window will lose significant entry about once every million days.

In newer distributions of Linux there is the logrotate program that works with the daemons themselves to rotate the log files periodically without race conditions. In other words, because log files tend to grow to be very large, the logrotate program periodically will rename each one to a backup name and then will ask its daemon to start using a new copy of the log file.

The logrotate program is driven by a rather powerful configuration file with the unexpected name of /etc/logrotate.conf. You can add the filtering and mailing commands discussed to this file easily.