Common System Log Changes

To finish up the chapter, we'll take a quick look at some of the common Mac OS X logs, and some improvements that can be made by changing the system defaults. These changes aren't necessary to run a secure system, but they do provide additional feedback on how your system is being used (or abused), which, in turn , make you less likely to be caught off guard in the future.

FTP Logs

On a default Mac OS X installation, the FTP process will simply log connections and login failures:

 Nov 23 17:27:15 despair ftpd[1195]: connection from localhost to localhost Nov 23 21:19:17 despair ftpd[1841]: connection from docs33-171.menta.net     to despair.ag.ohio-state.edu Nov 23 21:19:18 despair ftpd[1841]: ANONYMOUS FTP LOGIN     REFUSED FROM docs33-171.menta.net Nov 24 14:00:02 despair ftpd[2098]: connection from www.ag.ohio-state.edu     to despair.ag.ohio-state.edu Nov 24 14:00:07 despair ftpd[2098]: FTP LOGIN FROM www.ag.ohio-state.edu     as jray (class: real, type: REAL) 

This is of little use in determining who wrote those XBox ISO images to a directory that was accidentally left with world write permissions, or who has been eating up bandwidth by transferring personal files to and from the server for backups .

The default Mac OS X FTP server can be changed to log information about GET s and PUT s if you edit /etc/xinetd.d/ftp so that it passes two -l (log) switches to the daemon at startup:

 service ftp {         disable = no         socket_type     = stream         wait            = no         user            = root         server          = /usr/libexec/ftpd         server_args     = -l-l         groups          = yes         flags           = REUSE } 

Restarting xinetd ( killall -HUP xinetd ) (or starting and stopping the FTP service) puts the changes into effect.

With the additional logging function enabled, the logs will contain expanded information on the files being transferred:

 Nov 23 23:51:01 www ftpd[23]: connection from    27-pool1.ras14.ilchi-e.alerondial.net to www.ag.ohio-state.edu Nov 23 23:51:02 www ftpd[23]: FTP LOGIN FROM    27-pool1.ras14.ilchi-e.alerondial.net as gmg (class: real, type: REAL) Nov 23 23:52:58 www ftpd[23]: get BUG.HTM = 545 bytes in 0.006 seconds Nov 23 23:53:00 www ftpd[23]: get C_EDU.HTM = 15877 bytes in 0.027 seconds Nov 23 23:53:05 www ftpd[23]: get C_FAIR.HTM = 20960 bytes in 0.033 seconds Nov 23 23:53:52 www ftpd[23]: get Xpeople.htm = 79158 bytes in 3.618 seconds Nov 23 23:53:54 www ftpd[23]: get XSTREET.HTM = 549 bytes in 0.017 seconds Nov 23 23:55:53 www ftpd[23]: Data traffic: 191747 bytes in 23 files Nov 23 23:55:53 www ftpd[23]: Total traffic: 199236 bytes in 24 transfers Nov 24 00:52:24 www ftpd[24]: connection from    27-pool1.ras14.ilchi-e.alerondial.net to www.ag.ohio-state.edu Nov 24 00:52:25 www ftpd[24]: FTP LOGIN FROM    27-pool1.ras14.ilchi-e.alerondial.net as gmg (class: real, type: REAL) Nov 24 00:53:15 www ftpd[24]: put HOME.HTM = 1963 bytes in 0.978 seconds Nov 24 00:53:17 www ftpd[24]: put LEFT.HTM = 1829 bytes in 0.778 seconds Nov 24 00:53:20 www ftpd[24]: put RITE.HTM = 2311 bytes in 1.008 seconds Nov 24 00:53:22 www ftpd[24]: put STyle.CSS = 2333 bytes in 0.948 seconds Nov 24 00:53:24 www ftpd[24]: put TOP.HTM = 872 bytes in 0.689 seconds Nov 24 00:53:29 www ftpd[24]: Data traffic: 9308 bytes in 5 files Nov 24 00:53:29 www ftpd[24]: Total traffic: 16908 bytes in 7 transfers 

Webserver Logs

The Mac OS X default Apache configuration uses the common log format. Although it is recognized by most log analysis software, the common format has been largely replaced by the combined log format, which contains the same information as the common format, but also includes fields for the referrer (what site linked to the page) and the user-agent (the browser type/version that accessed the page).

To switch to combined format, search for the definition of CustomLog in /etc/httpd/httpd.conf and change the last parameter of the line to read combined , like this:

 # # The location and format of the access logfile (Common Logfile Format). # If you do not define any access logfiles within a <VirtualHost> # container, they will be logged here. Contrariwise, if you *do* # define per-<VirtualHost> access logfiles, transactions will be # logged therein and *not* in this file. # CustomLog "/private/var/log/httpd/access_log" combined 

Restart Apache ( /usr/sbin/apachectl restart ) to complete the switch.

TCP Wrappers

As mentioned earlier, if you're using TCP Wrappers to protect services in /etc/inetd.conf , you will not see connection attempts that are being denied . To log the messages from TCP Wrappers, you must add a line to /etc/syslog.conf that selects messages from the syslog facility and logs them to another log, such as /var/log/secure.log :

 syslog.err                        /var/log/hum.log 

After restarting inetd , the subsequent connections that are rejected by TCP Wrappers will be logged in /var/log/secure.log , like this:

 Nov 23 17:42:54 despair ftpd[1234]:    refused connect from soyokaze.biosci.ohio-state.edu Nov 23 17:44:26 despair ftpd[1241]:    refused connect from soyokaze.biosci.ohio-state.edu Nov 23 17:46:39 despair ftpd[1247]:    refused connect from soyokaze.biosci.ohio-state.edu 

Obviously this is important information that would otherwise be missing from the system logs.

AppleShare

Logging of the Mac OS X AppleShare fileserver is limited to errors in the default configuration of Mac OS X. This can be quickly corrected if you toggle the /config/AppleFileServer/activity_log bit in the NetInfo database:

 #  nicl . -delete /config/AppleFileServer activity_log  #  nicl . -create /config/AppleFileServer activity_log 1  

After you start and stop File Sharing, the /Library/Logs/AppleFileService/AppleFileServiceAccess.log file will be created, and will log access to the server:

 !!Log File Created On: 11/24/2002 15:24:55 327:0:0 GMT **** - - [24/Nov/2002:15:24:55 -0500] "Mounted Volume Picasso" 0 0 0 **** - - [24/Nov/2002:15:24:55 -0500] "DiskArbStart -" 0 4355 0 IP 10.0.1.101 - - [24/Nov/2002:15:35:14 -0500] "Login John Ray" -5001 0 0 IP 10.0.1.101 - - [24/Nov/2002:15:35:15 -0500] "Login John Ray" 0 0 0 IP 10.0.1.101 - - [24/Nov/2002:15:35:30 -0500] "Create chimera-0.6.dmg" 0 0 0 IP 10.0.1.101 - - [24/Nov/2002:15:35:30 -0500] "OpenFork chimera-0.6.dmg" 0 0 0 IP 10.0.1.101 - - [24/Nov/2002:15:35:30 -0500] "OpenFork chimera-0.6.dmg" 0 0 0 IP 10.0.1.101 - - [24/Nov/2002:15:36:10 -0500] "OpenFork .VolumeIcon.icns" 0 0 0 IP 10.0.1.101 - - [24/Nov/2002:15:36:15 -0500] "OpenFork .DS_Store" 0 0 0 

You can control the log's verbosity by altering the NetInfo key /config/AppleFileServer/logging_attributes . The default value of the logging_attributes key is

 Login_ON,Logout_ON,CreateDir_ON,CreateFile_ON,OpenForkk_ON,Delete_ON 

You can toggle each attribute to an OFF state by changing the _ON to _OFF in the attribute string, then writing the value back to NetInfo. Because each of these attributes is stored in a single string (that is, the list of attributes is a single value for logging_attributes ), it's easiest to edit these from inside the NetInfo Manager, rather than to use nicl .

Samba Logging

Samba's default logging state records little more than logins and logouts to the Samba daemon (level 0). It is recommended that active Windows servers run at level 1 to collect a reasonable amount of information. Levels can be set to any value between 0 and 10, where values above 3 are not recommended for nondevelopers.

To set the log level for Samba, add log_level= <level #> to the global section of the /etc/smb.conf file:

 # Global parameters [global]  log_level = 1  coding system = utf8         client code page = 437         encrypt passwords = Yes         os level = 255         preferred master = True ... 

Restart Windows File Sharing for the change to take effect.