การติดตั้ง
LogSentry
เป็นการตรวจสอบ Log file ต่างๆที่เกิดขึ้นในระบบ ซึ่งเราในฐานะที่เป็นผู้ดูแลระบบ
คงไม่มีเวลาดูแลเป็นประจำทุกๆวัน ดังนั้น
การที่เรามี LogSentry เข้ามาช่วย ก็เพื่อเป็นการแบ่งเบาภาระได้ในระดับหนึ่ง
ซึ่งจะตรวจสอบสิ่งต่างๆแล้วแจ้งให้เราทราบ
ให้เราเริ่มด้วยการเอา
logsentry-1.1.1.tar.gz ไปไว้ที่ /home/util เผื่อมีการลงซ้ำในอนาคต
[root@one
/]# cp logsentry-1.1.1.tar.gz /var/tmp/
[root@one /]# cd /var/tmp/
[root@one tmp]# tar xzpf logsentry-1.1.1.tar.gz
[root@one tmp]# cd logcheck-1.1.1/
[root@one logcheck-1.1.1]# cd systems/linux/
[root@one linux]# ls
logcheck.hacking logcheck.violations
README.linux.IMPORTANT
logcheck.ignore logcheck.violations.ignore
logcheck.sh README.linux
[root@one linux]#
เราเริ่มด้วยการ
copy ไปไว้ที่
/var/tmp จากนั้นก็เปลี่ยนไปทำงานที่ /var/tmp ทำการแตก tar.gz ออกมา แล้วก็เข้าไปยัง Directory
ของ logcheck-1.1.1/ และ systems/linux/
ลอง ls ดูจะเห็นแฟ้มต่างๆ
เริ่มด้วยการแก้ไขแฟ้ม logcheck.sh
ให้เป็นดังนี้ vi logcheck.sh
#!/bin/sh
#
#logcheck.sh: Log file checker
#Written by Craig Rowland <crowland@psionic.com>
#
#This file needs the program logtail.c to run
#
#This script checks logs for unusual activity and blatant
#attempts at hacking. All items are mailed to administrators
# for review. This script and the logtail.c program are based upon
# the frequentcheck.sh script idea from the Gauntlet(tm)
Firewall
#(c)Trusted Information Systems Inc. The original authors are
#Marcus J. Ranum and Fred Avolio.
#
#Default search files are tuned towards the TIS Firewall toolkit
# the TCP Wrapper program. Custom daemons and reporting facilites
#can be accounted for as well...read the rest of the script for
#details.
#
#Version Information
#
#1.0 9/29/96 -- Initial Release
#1.0111/01/96 -- Added working /tmp directory for symlink protection
# (Thanks Richard Bullington (rbulling@obscure.org)
#1.11/03/97 -- Made this script more portable for Sun's.
#1/03/97 -- Made this script work on HPUX
# 5/14/97 -- Added
Digital OSF/1 logging support. Big thanks
#
to Jay Vassos-Libove <libove@compgen.com> for
#
his changes.
# CONFIGURATION SECTION
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/local/bin
# Logcheck is pre-configured to work on most BSD like systems, however it
# is a rather dumb program and may need some help to work on other
# systems. Please check the following command paths to ensure they are
# correct.
# Person to send log activity to.
SYSADMIN=root
# Full path to logtail program.
# This program is required to run this script and comes with the package.
LOGTAIL=/usr/bin/logtail
# Full path to SECURED (non public writable) /tmp directory.
# Prevents Race condition and potential symlink problems. I highly
# recommend you do NOT make this a publically writable/readable directory.
# You would also be well advised to make sure all your system/cron scripts
# use this directory for their "scratch" area.
TMPDIR=/var/logsentry
# The 'grep' command. This command MUST support the
# '-i' '-v' and '-f' flags!! The GNU grep does this by default (that's
# good GNUs for you Linux/FreeBSD/BSDI people :) ). The Sun grep I'm told
# does not support these switches, but the 'egrep' command does (Thanks
# Jason <jason@mastaler.com> ). Since grep and egrep are usually the GNU
# variety on most systems (well most Linux, FreeBSD, BSDI, etc) and just
# hard links to each other we'll just specify egrep here. Change this if
# you get errors.
# Linux, FreeBSD, BSDI, Sun, HPUX, etc.
GREP=egrep
# The 'mail' command. Most systems this should be OK to leave as is.
# If your default mail command does not support the '-s' (subject) command
# line switch you will need to change this command one one that does.
# The only system I've seen this to be a problem on are HPUX boxes.
# Naturally, the HPUX is so superior to the rest of UNIX OS's that they
# feel they need to do everything differently to remind the rest that
# they are the best ;).
# Linux, FreeBSD, BSDI, Sun, etc.
MAIL=mail
# HPUX 10.x and others(?)
#MAIL=mailx
# Digital OSF/1, Irix
#MAIL=Mail
# File of known active hacking attack messages to look for.
# Only put messages in here if you are sure they won't cause
# false alarms. This is a rather generic way of checking for
# malicious activity and can be inaccurate unless you know
# what past hacking activity looks like. The default is to
# look for generic ISS probes (who the hell else looks for
# "WIZ" besides ISS?), and obvious sendmail attacks/probes.
HACKING_FILE=/etc/logsentry/hacking
# File of security violation patterns to specifically look for.
# This file should contain keywords of information administrators should
# probably be aware of. May or may not cause false alarms sometimes.
# Generally, anything that is "negative" is put in this file. It may
miss
# some items, but these will be caught by the next check. Move suspicious
# items into this file to have them reported regularly.
VIOLATIONS_FILE=/etc/logsentry/violations
# File that contains more complete sentences that have keywords from
# the violations file. These keywords are normal and are not cause for
# concern but could cause a false alarm. An example of this is the word
# "refused" which is often reported by sendmail if a message cannot
be
# delivered or can be a more serious security violation of a system
# attaching to illegal ports. Obviously you would put the sendmail
# warning as part of this file. Use your judgement before putting words
# in here or you can miss really important events. The default is to leave
# this file with only a couple entries. DO NOT LEAVE THE FILE EMPTY. Some
# grep's will assume that an EMPTY file means a wildcard and will ignore
# everything! The basic configuration allows for the more frequent sendmail
# error.
#
# Again, be careful what you put in here and DO NOT LEAVE IT EMPTY!
VIOLATIONS_IGNORE_FILE=/etc/logsentry/violations.ignore
# This is the name of a file that contains patterns that we should
# ignore if found in a log file. If you have repeated false alarms
# or want specific errors ignored, you should put them in here.
# Once again, be as specific as possible, and go easy on the wildcards
IGNORE_FILE=/etc/logsentry/ignore
# The files are reported in the order of hacking, security
# violations, and unusual system events. Notice that this
# script uses the principle of "That which is not explicitely
# ignored is reported" in that the script will report all items
# that you do not tell it to ignore specificially. Be careful
# how you use wildcards in the logcheck.ignore file or you
# may miss important entries.
# Make sure we really did clean up from the last run.
# Also this ensures that people aren't trying to trick us into
# overwriting files that we aren't supposed to. This is still a race
# condition, but if you are in a temp directory that does not have
# generic luser access it is not a problem. Do not allow this program
# to write to a generic /tmp directory where others can watch and/or
# create files!!
# Shouldn't need to touch these...
HOSTNAME=`hostname`
DATE=`date +%m/%d/%y:%H.%M`
umask 077
rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f
$TMPDIR/checkreport.$$ ]; then
echo "Log files exist in $TMPDIR directory that cannot be removed. This
may be an attempt to spoof the log checker." \
| $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
exit 1
fi
# LOG FILE CONFIGURATION SECTION
# You might have to customize these entries depending on how
# you have syslogd configured. Be sure you check all relevant logs.
# The logtail utility is required to read and mark log files.
# See INSTALL for more information. Again, using one log file
# is preferred and is easier to manage. Be sure you know what the
# > and >> operators do before you change them. LOG FILES SHOULD
# ALWAYS BE chmod 600 OWNER root!!
# Generic and Linux Slackware 3.x
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
# Linux Red Hat Version 3.x, 4.x
$LOGTAIL /var/log/messages > $TMPDIR/check.$$
$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
# FreeBSD 2.x
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
#$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
# BSDI 2.x
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
#$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
#$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
#$LOGTAIL /var/log/ftp.log >> $TMPDIR/check.$$
# Un-comment out the line below if you are using BSDI 2.1
#$LOGTAIL /var/log/daemon.log >> $TMPDIR/check.$$
# SunOS, Sun Solaris 2.5
#$LOGTAIL /var/log/syslog > $TMPDIR/check.$$
#$LOGTAIL /var/adm/messages >> $TMPDIR/check.$$
# HPUX 10.x and others(?)
#$LOGTAIL /var/adm/syslog/syslog.log > $TMPDIR/check.$$
# Digital OSF/1
# OSF/1 - uses rotating log directory with date & time in name
# LOGDIRS=`find /var/adm/syslog.dated/* -type d
-prune -print`
# LOGDIR=`ls -dtr1 $LOGDIRS | tail -1`
# if [ ! -d "$LOGDIR" ]
# then
# echo "Can't identify current log
directory." >> $TMPDIR/checkrepo$
# else
# $LOGTAIL
$LOGDIR/auth.log >> $TMPDIR/check.$$
# $LOGTAIL
$LOGDIR/daemon.log >> $TMPDIR/check.$$
# $LOGTAIL
$LOGDIR/kern.log >> $TMPDIR/check.$$
# $LOGTAIL
$LOGDIR/lpr.log >> $TMPDIR/check.$$
# $LOGTAIL
$LOGDIR/mail.log >> $TMPDIR/check.$$
# $LOGTAIL
$LOGDIR/syslog.log >> $TMPDIR/check.$$
# $LOGTAIL
$LOGDIR/user.log >> $TMPDIR/check.$$
# fi
#
# END CONFIGURATION SECTION. YOU SHOULDN'T HAVE TO EDIT ANYTHING
# BELOW THIS LINE.
# Set the flag variables
FOUND=0
ATTACK=0
# See if the tmp file exists and actually has data to check,
# if it doesn't we should erase it and exit as our job is done.
if [ ! -s $TMPDIR/check.$$ ]; then
rm -f $TMPDIR/check.$$
exit 0
fi
# Perform Searches
# Check for blatant hacking attempts
if [ -f "$HACKING_FILE" ]; then
if $GREP -i -f $HACKING_FILE $TMPDIR/check.$$ > $TMPDIR/checkoutput.$$; then
echo >> $TMPDIR/checkreport.$$
echo "Active System Attack Alerts" >> $TMPDIR/checkreport.$$
echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
FOUND=1
ATTACK=1
fi
fi
# Check for security violations
if [ -f "$VIOLATIONS_FILE" ]; then
if $GREP -i -f $VIOLATIONS_FILE $TMPDIR/check.$$ |
$GREP -v -f $VIOLATIONS_IGNORE_FILE > $TMPDIR/checkoutput.$$;
then
echo >> $TMPDIR/checkreport.$$
echo "Security Violations" >> $TMPDIR/checkreport.$$
echo "=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
FOUND=1
fi
fi
# Do reverse grep on patterns we want to ignore
if [ -f "$IGNORE_FILE" ]; then
if $GREP -v -f $IGNORE_FILE $TMPDIR/check.$$ > $TMPDIR/checkoutput.$$; then
echo >> $TMPDIR/checkreport.$$
echo "Unusual System Events" >> $TMPDIR/checkreport.$$
echo "=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
FOUND=1
fi
fi
# If there are results, mail them to sysadmin
if [ "$ATTACK" -eq 1 ]; then
cat $TMPDIR/checkreport.$$ | $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM
ATTACK!" $SYSADMIN
elif [ "$FOUND" -eq 1 ]; then
cat $TMPDIR/checkreport.$$ | $MAIL -s "$HOSTNAME $DATE system check"
$SYSADMIN
fi
# Clean Up
rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
บรรทัดสีแดงบนพื้นเหลืองคือที่เปลี่ยนแปลงแก้ไขมีทั้งหมด 6 บรรทัดด้วยกันหรือท่านสามารถที่จะลากดำทั้งหมดบนพื้นเหลืองไป
วางบน NotePad ก็ได้ แล้เอาไปวางใน putty
ที่เราแก้แฟ้ม logcheck.sh อีกทีก็ได้ ผมได้เอาแฟ้มนี้ไปไว้ที่
/home/util
cp
logcheck.sh /home/util
จากนั้นเราก็ไขแฟ้ม
Makefile ตามข้างล่างนี้
#
Makefile for logcheck package.
# logtail.c : Log file tailing program
#
# Send problems/code hacks to crowland@psionic.com or crowland@vni.net
# Thanks to rbulling@obscure.org for cleaning this Makefile up..
#
# Generic compiler
CC = cc
# GNU..
# CC = gcc
# Normal systems flags
CFLAGS =
-O2 -march=i686 -funroll-loops
# Braindead HPUX compiler flags
#CFLAGS = -O -Aa
# If you change these be sure you edit logcheck.sh to reflect
# the new paths!!
# This is where keyword files go.
INSTALLDIR
= /etc/logsentry
# This is where logtail will go
INSTALLDIR_BIN
= /usr/bin
# Some people want the logcheck.sh in /usr/local/bin. Uncomment this
# if you want this. /usr/local/etc was kept for compatibility reasons.
#INSTALLDIR_SH = /usr/local/bin
INSTALLDIR_SH
= /usr/sbin
# The scratch directory for logcheck files.
TMPDIR =
/var/logsentry
# Debug mode for logtail
# CFLAGS = -g -DDEBUG
all:
@echo "Usage: make <systype>"
@echo "<systype> is one of: "
@echo " linux, bsdos, freebsd, sun, generic, hpux, digital"
@echo ""
@echo "NOTE: This will make and install the package in these"
@echo " directories:"
@echo " logcheck configuration files :
$(INSTALLDIR)"
@echo " logcheck.sh shell script :
$(INSTALLDIR_SH)"
@echo " logtail program
: $(INSTALLDIR_BIN)"
@echo ""
@echo "Edit the makefile if you wish to change these paths."
@echo "Any existing files will be overwritten."
clean:
/bin/rm ./src/logtail ./src/logtail.o
uninstall:
/bin/rm $(INSTALLDIR_SH)/logcheck.sh
/bin/rm $(INSTALLDIR)/logcheck.ignore
/bin/rm $(INSTALLDIR)/logcheck.hacking
/bin/rm $(INSTALLDIR)/logcheck.violations
/bin/rm $(INSTALLDIR)/logcheck.violations.ignore
/bin/rm $(INSTALLDIR_BIN)/logtail
install:
@echo "Making $(SYSTYPE)"
$(CC) $(CFLAGS) -o ./src/logtail ./src/logtail.c
@echo "Creating temp directory $(TMPDIR)"
@if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi
@echo "Setting temp directory permissions"
chmod 700 $(TMPDIR)
@echo "Copying files"
cp ./systems/$(SYSTYPE)/logcheck.hacking $(INSTALLDIR)
cp ./systems/$(SYSTYPE)/logcheck.violations $(INSTALLDIR)
cp ./systems/$(SYSTYPE)/logcheck.violations.ignore $(INSTALLDIR)
cp ./systems/$(SYSTYPE)/logcheck.ignore $(INSTALLDIR)
cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH)
cp ./src/logtail $(INSTALLDIR_BIN)
@echo "Setting permissions"
chmod 700 $(INSTALLDIR_SH)/logcheck.sh
chmod 700 $(INSTALLDIR_BIN)/logtail
chmod 600 $(INSTALLDIR)/logcheck.violations.ignore
chmod 600 $(INSTALLDIR)/logcheck.violations
chmod 600 $(INSTALLDIR)/logcheck.hacking
chmod 600 $(INSTALLDIR)/logcheck.ignore
@echo "Done. Don't forget to set your crontab."
generic:
make install SYSTYPE=generic
linux:
make install SYSTYPE=linux
bsdos:
make install SYSTYPE=bsdos
freebsd:
make install SYSTYPE=freebsd
sun:
make install SYSTYPE=sun
hpux:
make install SYSTYPE=hpux
digital:
make install SYSTYPE=digital
เช่นเดียวกันบรรทัดสีแดงบนพื้นเหลืองคือที่เปลี่ยนแปลงแก้ไขมีทั้งหมด 5 บรรทัดด้วยกันหรือท่านสามารถที่จะลากดำทั้งหมดบน
พื้นเหลืองไปวางบน NotePad ก็ได้
แล้วเอาไปวางใน putty ที่เราแก้แฟ้ม Makefile อีกทีก็ได้
หรือสามารถที่จะ
download แฟ้มทั้งสามคือ logsentry-1.1.1.tar.gz
logcheck.sh และ Makefile ได้ที่นี่
[root@one logcheck-1.1.1]# cd
[root@one root]# find /* > LogSentry1
[root@one root]# cd /var/tmp/logcheck-1.1.1/
[root@one logcheck-1.1.1]# mkdir m0700 /etc/logsentry
[root@one logcheck-1.1.1]# make linux
[root@one logcheck-1.1.1]# strip /usr/bin/logtail
[root@one logcheck-1.1.1]# cd /etc/logsentry/
[root@one logsentry]# mv logcheck.hacking hacking
[root@one logsentry]# mv logcheck.violations violations
[root@one logsentry]# mv logcheck.violations.ignore violations.ignore
[root@one logsentry]# mv logcheck.ignore ignore
[root@one logsentry]# cd
[root@one root]# find /* > LogSentry2
[root@one root]# diff LogSentry1 LogSentry2 > LogSentry-Installed
จากนั้นก็ทำการสั่งตามคำสั่งข้างบนทีละบรรทัด
เราก็จะได้ Logsentry ตามต้องการ
งานต่อไปคือการสั่งให้เครื่องทำงานในทุกๆวันโดยการสร้างแฟ้ม logsentry ไว้ที่ /etc/cron.daily/
โดยมีเนื้อหาดังนี้
#!/bin/sh
# Daily check Log files for security violations and unusual activity.
/home/util/logcheck.sh
แล้วตามด้วยการเปลี่ยน permission แฟ้มดังกล่าวคือ
[root@one
/]# chmod 510 /etc/cron.daily/logsentry
อนึ่ง Logsentry จะไม่รายงานผ่านทาง e-mail
ถ้าไม่มีสิ่งใดที่ต้องรายงาน