Va-scanCopyright 2002, Marchany Securing Solaris – Using syslogs during an Intrusion Randy...
-
Upload
randolf-walters -
Category
Documents
-
view
212 -
download
0
Transcript of Va-scanCopyright 2002, Marchany Securing Solaris – Using syslogs during an Intrusion Randy...
va-scan Copyright 2002, Marchany
Securing Solaris – Securing Solaris – Using syslogs during Using syslogs during
an Intrusionan Intrusion
Randy Marchany
va-scan Copyright 2002, Marchany
Introduction
Reference document: “Inspecting your Solaris system and network logs for evidence of intrusions”, www.cert.org/security-improvements/implementations/i003.html
Inspect log files daily Document unusual entries you find
va-scan Copyright 2002, Marchany
Introduction
Investigate each documented abnormality– Can it be explained by an authorized user?– Can it be explained by known system activity?– Can it be explained by known changes to
programs?
Report all confirmed evidence of intrusion to your sysadmin (Milko) or [email protected].
va-scan Copyright 2002, Marchany
System Log Files
Most log information is sent to /var/adm/messages.
Mail.debug information is sent to /var/log/syslog or /var/adm/syslog.
Auth.notice aren’t logged by default. Check /etc/syslog.conf for the exact
locations of the system log files.
va-scan Copyright 2002, Marchany
System Log Files
/var/adm/messages– Records system console outpu and syslog
messages.– Look for unexpected system halts
• Mar 31 12:48:31 <hostname> unix: halted by <user>
– Look for unexpected system boots– Look for failed su and login commands– Look for unexpected successful su commands
va-scan Copyright 2002, Marchany
System Log Files
/var/adm/pacct– Records all commands run by users. Process
accounting must be enabled before this file is generated.
– lastcomm command will show the commands /var/adm/aculog
– Keeps track of dial-out modems– Look for dial-out records or unauthorized use
of dial-out modems
va-scan Copyright 2002, Marchany
System Log Files
/var/log/syslog– Contains the sendmail log entries for the
system.– TCP Wrapper, portsentry loggers write their
entries to this file.
va-scan Copyright 2002, Marchany
Process Analysis
Normal System Functions– What processes do you expect to be running
on this system?
System Users – Is it normal for each of these users to be using
the system at this time of day?– From where are they accessing the system? Is
this expected?
va-scan Copyright 2002, Marchany
Process Analysis
Executing Processes– How was the process started? By what user?– What is the current status of the process?
Running, stopped, suspended, swapped out, exiting?
– Is it missing from the processes you expected to be active?
– What system setting are in effect for this process.
va-scan Copyright 2002, Marchany
Process Analysis
Executing Processes– What options or input arguments is the process
executing? Are they valid?– Are the system resources being used consistent
with what you expect the process to be using?– What is the relationship between the process
and other processes running on the system? Is there a parent-child relationship?
va-scan Copyright 2002, Marchany
Process Analysis
Open Files – What files are opened by the process?– Are they authorized to open these files?– Any access to sensitive system files, e.g.,
password files?– Any unauthorized attempts to open a file?– Any file access errors?– What files are imported or exported?
va-scan Copyright 2002, Marchany
Process Analysis
Network Connections– Has the process opened any network connections to
external sites?– Have any connection failures been recorded?– Have there been any unexpected connections?– Are there any open network sockets that can’t be
attributable to valid processes?– What mode is each socket open?– Are all of the network interfaces operating as
expected?