va-scan Copyright 2002, Marchany

Securing Solaris – Securing Solaris – Using syslogs during Using syslogs during

an Intrusionan Intrusion

Randy Marchany

va-scan Copyright 2002, Marchany

Introduction

Reference document: “Inspecting your Solaris system and network logs for evidence of intrusions”, www.cert.org/security-improvements/implementations/i003.html

Inspect log files daily Document unusual entries you find

va-scan Copyright 2002, Marchany

Introduction

Investigate each documented abnormality– Can it be explained by an authorized user?– Can it be explained by known system activity?– Can it be explained by known changes to

programs?

Report all confirmed evidence of intrusion to your sysadmin (Milko) or abuse@vt.edu.

va-scan Copyright 2002, Marchany

System Log Files

Most log information is sent to /var/adm/messages.

Mail.debug information is sent to /var/log/syslog or /var/adm/syslog.

Auth.notice aren’t logged by default. Check /etc/syslog.conf for the exact

locations of the system log files.

va-scan Copyright 2002, Marchany

System Log Files

/var/adm/messages– Records system console outpu and syslog

messages.– Look for unexpected system halts

• Mar 31 12:48:31 <hostname> unix: halted by <user>

– Look for unexpected system boots– Look for failed su and login commands– Look for unexpected successful su commands

va-scan Copyright 2002, Marchany

System Log Files

/var/adm/pacct– Records all commands run by users. Process

accounting must be enabled before this file is generated.

– lastcomm command will show the commands /var/adm/aculog

– Keeps track of dial-out modems– Look for dial-out records or unauthorized use

of dial-out modems

va-scan Copyright 2002, Marchany

System Log Files

/var/log/syslog– Contains the sendmail log entries for the

system.– TCP Wrapper, portsentry loggers write their

entries to this file.

va-scan Copyright 2002, Marchany

Process Analysis

Normal System Functions– What processes do you expect to be running

on this system?

System Users – Is it normal for each of these users to be using

the system at this time of day?– From where are they accessing the system? Is

this expected?

va-scan Copyright 2002, Marchany

Process Analysis

Executing Processes– How was the process started? By what user?– What is the current status of the process?

Running, stopped, suspended, swapped out, exiting?

– Is it missing from the processes you expected to be active?

– What system setting are in effect for this process.

va-scan Copyright 2002, Marchany

Process Analysis

Executing Processes– What options or input arguments is the process

executing? Are they valid?– Are the system resources being used consistent

with what you expect the process to be using?– What is the relationship between the process

and other processes running on the system? Is there a parent-child relationship?

va-scan Copyright 2002, Marchany

Process Analysis

Open Files – What files are opened by the process?– Are they authorized to open these files?– Any access to sensitive system files, e.g.,

password files?– Any unauthorized attempts to open a file?– Any file access errors?– What files are imported or exported?

va-scan Copyright 2002, Marchany

Process Analysis

Network Connections– Has the process opened any network connections to

external sites?– Have any connection failures been recorded?– Have there been any unexpected connections?– Are there any open network sockets that can’t be

attributable to valid processes?– What mode is each socket open?– Are all of the network interfaces operating as

expected?